Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4;
From:   "Eric W. Biederman" <ebiederm@xmission.com>
To:     yunhui cui <cuiyunhui@bytedance.com>
Cc:     akpm@linux-foundation.org, keescook@chromium.org,
        brauner@kernel.org, jeffxu@google.com, frederic@kernel.org,
        mcgrof@kernel.org, cyphar@cyphar.com, rongtao@cestc.cn,
        linux-kernel@vger.kernel.org,
        Linux Containers <containers@lists.linux.dev>
References: <20231011065446.53034-1-cuiyunhui@bytedance.com>
        <87sf6gcyb3.fsf@email.froward.int.ebiederm.org>
        <CAEEQ3wm8oE1dXo7AuU3gY90oF_G21OqNZwnkqhhd1-_j4wWbYQ@mail.gmail.com>
        <87r0lyad40.fsf@email.froward.int.ebiederm.org>
        <CAEEQ3wmerA8p2qpEAn9pGW5BW35777VFwabusyFTAEyaf-0JPg@mail.gmail.com>
Date:   Fri, 13 Oct 2023 23:21:10 -0500
In-Reply-To: <CAEEQ3wmerA8p2qpEAn9pGW5BW35777VFwabusyFTAEyaf-0JPg@mail.gmail.com>
        (yunhui cui's message of "Sat, 14 Oct 2023 11:41:06 +0800")
Message-ID: <87h6mt96mh.fsf@email.froward.int.ebiederm.org>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8BIT
Subject: Re: [External] Re: [PATCH] pid_ns: support pidns switching between
 sibling
Precedence: bulk

yunhui cui <cuiyunhui@bytedance.com> writes:

> Hi Eric，
>
> On Fri, Oct 13, 2023 at 9:04 PM Eric W. Biederman <ebiederm@xmission.com> wrote:
>>
>> yunhui cui <cuiyunhui@bytedance.com> writes:
>>
>> > Hi Eric,
>> >
>> > On Thu, Oct 12, 2023 at 11:31 AM Eric W. Biederman
>> > <ebiederm@xmission.com> wrote:
>> >>
>> >> The check you are deleting is what verifies the pid namespaces you are
>> >> attempting to change pid_ns_for_children to is a member of the tasks
>> >> current pid namespace (aka task_active_pid_ns).
>> >>
>> >>
>> >> There is a perfectly good comment describing why what you are attempting
>> >> to do is unsupportable.
>> >>
>> >>         /*
>> >>          * Only allow entering the current active pid namespace
>> >>          * or a child of the current active pid namespace.
>> >>          *
>> >>          * This is required for fork to return a usable pid value and
>> >>          * this maintains the property that processes and their
>> >>          * children can not escape their current pid namespace.
>> >>          */
>> >>
>> >>
>> >> If you pick a pid namespace that does not meet the restrictions you are
>> >> removing the pid of the new child can not be mapped into the pid
>> >> namespace of the parent that called setns.
>> >>
>> >> AKA the following code can not work.
>> >>
>> >> pid = fork();
>> >> if (!pid) {
>> >>         /* child */
>> >>         do_something();
>> >>         _exit(0);
>> >> }
>> >> waitpid(pid);
>> >
>> > Sorry, I don't understand what you mean here.
>>
>> What I mean is that if your simple patch was adopted,
>> then the classic way of controlling a fork would fail.
>>
>>         pid = fork()
>>         ^--------------- Would return 0 for both parent and child
>>         ^--------------- Look at pid_nr_ns to understand.
>>         if (!pid() {
>>                 /* child */
>>                 do_something();
>>                 _exit(0);
>>         }
>>         waitpid(pid);
>
> okay, The reason here is that pid_nr_ns has no pid in the current
> pidns of the child process, and returns 0.
> Can this also support sibling traversal?

Not without a complete redesign.

> If so, it means that the process also has a pid in its sibling's pidns.


>> For your use case there are more serious problems as well.  The entire
>> process hierarchy built would be incorrect.   Which means children
>> signaling parents when they exit would be incorrect, and that parents
>> would not be able to wait on their children.
>
> Therefore, support for slibing pidns must be added to the entire logic of pidns.
> Do you have any plans to support this,

No plans to support it.

> or what are the good reasons for not supporting it?

I see no point, it is a lot of work, and your container acceleration
still won't work.

By forking from your original processes instead of properly building
the process hierarchy.  If a pair of your original processes are doing:

	pid = fork()
	if (!pid() {
	        /* child */
                <-------------------------- clone created here
	        do_something();
	        _exit(0);
	}
        <---------------------------------- clone created here
	waitpid(pid);


Their clones won't work.  Not because the pids aren't the same, but
because the clones are not parent and child.  Which causes waitpid
not to see the other process.


I believe you want to do this sibling pid_ns fork so that you can
have copy-on-write of the anonymous pages of the original process.
Which is a completely reasonable thing to want.


For performing copy-on-write between machines we have userfaultfd.

For simply reading the pages we have process_vm_readv.

I think what you want is essentially process_vm_cow_map.  Unfortunately
no one has built that yet.

Maybe memfd is a better model to start from?  Something where you pause
process a, setup the cow in process a, and place the pages in process
b.  With the final result that either process a or process b writing
to the page will cause the copy on write to happen the and page to be
unshared.

I really think you need something that will decouple the copy-on-write
mechanism of fork from the rest of fork, so you can build a proper
process hierarchy.

Eric