Received-SPF: pass (google.com: domain of linux-kernel+bounces-86906-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249;
Precedence: bulk
MIME-Version: 1.0
References: <20240222160915.315255-1-aleksandr.mikhalitsyn@canonical.com>
 <20240222160915.315255-3-aleksandr.mikhalitsyn@canonical.com>
 <Zdd8MAJJD3M11yeR@tycho.pizza> <20240223-kantholz-knallen-558beba46c62@brauner>
 <ZdoEavHorDs3IlF5@tycho.pizza> <20240226-gestrafft-pastinaken-94ff0e993a51@brauner>
 <Zdyumw6OfWBqQMTj@tycho.pizza>
In-Reply-To: <Zdyumw6OfWBqQMTj@tycho.pizza>
From: Aleksandr Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>
Date: Thu, 29 Feb 2024 16:14:06 +0100
Message-ID: <CAEivzxcVbEZtr+wPL1p+dM4r8+vFNnPoF+E-QvG_nLNHGDYJQg@mail.gmail.com>
Subject: Re: [PATCH v1 2/2] tests/pid_namespace: add pid_max tests
To: Tycho Andersen <tycho@tycho.pizza>
Cc: Christian Brauner <brauner@kernel.org>, stgraber@stgraber.org, cyphar@cyphar.com, 
	linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Mon, Feb 26, 2024 at 4:30=E2=80=AFPM Tycho Andersen <tycho@tycho.pizza> =
wrote:
>
> On Mon, Feb 26, 2024 at 09:57:47AM +0100, Christian Brauner wrote:
> > > > > A small quibble, but I wonder about the semantics here. "You can =
write
> > > > > whatever you want to this file, but we'll ignore it sometimes" se=
ems
> > > > > weird to me. What if someone (CRIU) wants to spawn a pid numbered=
 450
> > > > > in this case? I suppose they read pid_max first, they'll be able =
to
> > > > > tell it's impossible and can exit(1), but returning E2BIG from wr=
ite()
> > > > > might be more useful.
> > > >
> > > > That's a good idea. But it's a bit tricky. The straightforward thin=
g is
> > > > to walk upwards through all ancestor pid namespaces and use the low=
est
> > > > pid_max value as the upper bound for the current pid namespace. Thi=
s
> > > > will guarantee that you get an error when you try to write a value =
that
> > > > you would't be able to create. The same logic should probably apply=
 to
> > > > ns_last_pid as well.
> > > >
> > > > However, that still leaves cases where the current pid namespace wr=
ites
> > > > a pid_max limit that is allowed (IOW, all ancestor pid namespaces a=
re
> > > > above that limit.). But then immediately afterwards an ancestor pid
> > > > namespace lowers the pid_max limit. So you can always end up in a
> > > > scenario like this.
> > >
> > > I wonder if we can push edits down too? Or an render .effective file,=
 like
> >
> > I don't think that works in the current design? The pid_max value is pe=
r
> > struct pid_namespace. And while there is a 1:1 relationship between a
> > child pid namespace to all of its ancestor pid namespaces there's a 1 t=
o
> > many relationship between a pid namespace and it's child pid namespaces=
.
> > IOW, if you change pid_max in pidns_level_1 then you'd have to go
> > through each of the child pid namespaces on pidns_level_2 which could b=
e
> > thousands. So you could only do this lazily. IOW, compare and possibly
> > update the pid_max value of the child pid namespace everytime it's read
> > or written. Maybe that .effective is the way to go; not sure right now.

Hi Tycho!

>
> I wonder then, does it make sense to implement this as a cgroup thing
> instead, which is used to doing this kind of traversal?
>
> Or I suppose not, since the idea is to get legacy software that's
> writing to pid_max to work?

Yes, this is mostly for legacy software that expects host-like
behavior in the container.
I know that folks who work on running Android inside the container are
very-very interested in this.

Kind regards,
Alex

>
> Tycho