2017-10-18 02:09:55

by Prakash Sangappa

[permalink] [raw]
Subject: Re: [PATCH v4] pidns: introduce syscall translate_pid



On 10/16/17 5:52 PM, Andy Lutomirski wrote:
> On Mon, Oct 16, 2017 at 3:54 PM, prakash.sangappa
> <[email protected]> wrote:
>>
>> On 10/16/2017 03:07 PM, Nagarathnam Muthusamy wrote:
>>>
>>>
>>> On 10/16/2017 02:36 PM, Andrew Morton wrote:
>>>> On Sat, 14 Oct 2017 11:17:47 +0300 Konstantin Khlebnikov
>>>> <[email protected]> wrote:
>>>>
>>>>>>>> pid_t translate_pid(pid_t pid, int source, int target);
>>>>>>>>
>>>>>>>> This syscall converts pid from source pid-ns into pid in target
>>>>>>>> pid-ns.
>>>>>>>> If pid is unreachable from target pid-ns it returns zero.
>>>>>>>>
>>>>>>>> Pid-namespaces are referred file descriptors opened to proc files
>>>>>>>> /proc/[pid]/ns/pid or /proc/[pid]/ns/pid_for_children. Negative
>>>>>>>> argument
>>>>>>>> refers to current pid namespace, same as file /proc/self/ns/pid.
>>>>>>>>
>>>>>>>> Kernel expose virtual pids in /proc/[pid]/status:NSpid, but backward
>>>>>>>> translation requires scanning all tasks. Also pids could be
>>>>>>>> translated
>>>>>>>> by sending them through unix socket between namespaces, this method
>>>>>>>> is
>>>>>>>> slow and insecure because other side is exposed inside pid namespace.
>>>>> Andrew asked why we might need this.
>>>>>
>>>>> Such conversion is required for interaction between processes across
>>>>> pid-namespaces.
>>>>> For example to identify process in container by pid file looking from
>>>>> outside.
>>>>>
>>>>> Two years ago I've solved this in project of mine with monstrous code
>>>>> which
>>>>> forks couple times just to convert pid, lucky for me performance wasn't
>>>>> important.
>>>> That's a single user who needed this a single time, and found a
>>>> userspace-based solution anyway. This is not exactly compelling!
>>>>
>>>> Is there a stronger case to be made? How does this change benefit our
>>>> users? Sell it to us!
>>> Oracle database is planning to use pid namespace for sandboxing database
>>> instances and they need an API similar to translate_pid to effectively
>>> translate process IDs from other pid namespaces. Prakash (cced in mail) can
>>> provide more details on this usecase.
>>
>> As Nagarathnam indicated, Oracle Database will be using pid namespaces and
>> needs a direct method of converting pids of processes in the pid namespace
>> hierarchy. In this use case multiple
>> nested PID namespaces will be used. The currently available mechanism are
>> not very efficient for this use case. For ex. as Konstantin described, using
>> /proc/<pid>/status would require the application to scan all the pid's
>> status files to determine the pid of given process in a child namespace.
>>
>> Use of SCM_CREDENTIALS's socket message is another way, which would require
>> every process starting inside a pid namespace to send this message and the
>> receiving process in the target namespace would have to save the converted
>> pid and reference it. This mechanism becomes cumbersome especially if the
>> application has to deal with multiple nested pid namespaces. Also, the
>> Database needs to be able to convert a thread's global pid(gettid()).
>> Passing the thread's pid(gettid()) in SCM_CREDENTIALS message requires
>> CAP_SYS_ADMIN, which is an issue.
>>
>> So having a direct method, like the API that Konstantin is proposing, will
>> work best for the Database
>> since pid of a process in any of the nested pid namespaces can be converted
>> as and when required. I think with the proposed API, the application should
>> be able to convert pid of a process or tid(gettid()) of a thread as well.
>>
>
> Can you explain what Oracle's database is planning to do with this information?

Database uses the PID to programmatically find out if the process/thread
is alive(kill 0) also send signals to the processes requesting it to
dump status/debug information and kill the processes in case of a
shutdown abort of the instance.

-Prakash.



From 1581505856271166498@xxx Tue Oct 17 11:58:36 +0000 2017
X-GM-THRID: 1581133950441644275
X-Gmail-Labels: Inbox,Category Forums