Re: [PATCH v2 3/3] Make core_pattern support namespace

From: Eric W. Biederman
Date: Wed Mar 23 2016 - 16:05:13 EST

Next message: Len Brown: "Re: [PATCH 0/3] idle, Honor Hardware Disabled States"
Previous message: Len Brown: "Re: [PATCH 1/3] idle, rename MSR_NHM_SNB_PKG_CST_CFG_CTL to MSR_PKG_CST_CONFIG_CONTROL"
In reply to: Zhao Lei: "RE: [PATCH v2 3/3] Make core_pattern support namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zhao Lei <zhaolei@xxxxxxxxxxxxxx> writes:

> Hi, Eric
>
>> -----Original Message-----
>> From: Eric W. Biederman [mailto:ebiederm@xxxxxxxxxxxx]
>> Sent: Wednesday, March 23, 2016 6:43 AM
>> To: Zhao Lei <zhaolei@xxxxxxxxxxxxxx>
>> Cc: linux-kernel@xxxxxxxxxxxxxxx; containers@xxxxxxxxxxxxxxxxxxxxxxxxxx;
>> 'Mateusz Guzik' <mguzik@xxxxxxxxxx>; 'Kamezawa Hiroyuki'
>> <kamezawa.hiroyu@xxxxxxxxxxxxxx>
>> Subject: Re: [PATCH v2 3/3] Make core_pattern support namespace
>>
>> Zhao Lei <zhaolei@xxxxxxxxxxxxxx> writes:
>>
>> > Hi, Eric
>> >
>> >> -----Original Message-----
>> >> From: Eric W. Biederman [mailto:ebiederm@xxxxxxxxxxxx]
>> >> Sent: Tuesday, March 22, 2016 5:25 AM
>> >> To: Zhao Lei <zhaolei@xxxxxxxxxxxxxx>
>> >> Cc: linux-kernel@xxxxxxxxxxxxxxx; containers@xxxxxxxxxxxxxxxxxxxxxxxxxx;
>> >> 'Mateusz Guzik' <mguzik@xxxxxxxxxx>; 'Kamezawa Hiroyuki'
>> >> <kamezawa.hiroyu@xxxxxxxxxxxxxx>
>> >> Subject: Re: [PATCH v2 3/3] Make core_pattern support namespace
>> >>
>> >> Zhao Lei <zhaolei@xxxxxxxxxxxxxx> writes:
>> >>
>> >> > Hi, Eric
>> >> >
>> >> >> -----Original Message-----
>> >> >> From: Eric W. Biederman [mailto:ebiederm@xxxxxxxxxxxx]
>> >>
>> >> > Let me make a summarize:
>> >> > You think this way is not acceptable, because the pipe program is running
>> >> > in the panic-process's namespace context.
>> >>
>> >> Actually my view is that your patchset is not acceptable because it
>> >> is implemented in a way that is not backwards compatible (AKA it can
>> >> break existing configurations that remain unchanged) and your
>> >> implementation does not appear in the least safe from malicious users.
>> >>
>> >> There is also a problem that your patchset is simply buggy for what it
>> >> tries to implement, as using pid_ns_for_children and the multiple kbuild
>> >> robot emails testifies.
>> >>
>> >> > And in my view, a pipe program in the host's top level namespace is also
>> >> > a problem.
>> >> >
>> >> > Let us think a container, to make it act as a real machine, when a program
>> >> > panic, linux kernel should dump it into the container's filesystem.
>> >> >
>> >> > For the kernel, to keep the current way of forking pipe program by kthread,
>> >> > just let the pipe thread running in the container's namespace, instead the
>> >> host,
>> >> > may solve the problem in current kernel.
>> >> >
>> >> > What is your opinion?
>> >> >
>> >> > Btw, this patch is trying to solve the problem descripted in thread named:
>> >> > "piping core dump to a program escapes container" in
>> >> >
>> >>
>> http://lists.linuxfoundation.org/pipermail/containers/2015-December/036476.
>> >> html
>> >> > Maybe using a userspace tool can make container dump to anywhere,
>> >> > but for kernel ifself, it is better to solve above problem if we can.
>> >>
>> >> I think it would be great to find a way to run a core dump helper and
>> >> otherwise allow setting the core dump pattern in a container in a way
>> >> that is safe from malicious users and does not break existing setups.
>> >>
>> > So, there is following problem:
>> > 1: safe from malicious users
>> > We can try to find a way to fork process which have no relationship
>> > with the panic process.
>> > 2: Bug in patch
>> > It can be fixed, but I'd rather get a conclusion of this discussion
>> > before fix.
>> > 3: Backwards compatible
>> > It maybe the biggest problem in discussion, this patch is used to let
>> > container dump files into container, it is different with current action.
>> > Before patch:
>> > File type dump_pattern: dump to container
>> > Pipe type dump_pattern: dump to host
>> > After patch:
>> > File type dump_pattern: dump to container
>> > Pipe type dump_pattern: dump to container
>> > The second design seems better but not compatible with current kernel,
>> > but this patch can not fix to keep compatible because it is the patch's
>> > function.
>> > Maybe we can make some workagound, as:
>> > a. Add a kernel config to let the old style as default.
>> > b. keep old style, and add "||" for core_pattern, as
>> > echo "|| /root/container_dumper" >/proc/sys/kernel/core_pattern
>> > to dump to container.
>> >
>> > What is your opinion about it?
>>
>
> Thanks for detailed answer.
>
>> There are two parts to backwards compatibility.
>>
>> 1) How should core patterns that are set outside of any container be
>> treated?
>>
>> The patchset under discussion imported core patterns set outside of
>> containers into containers completely trivially changing their
>> behavior and breaking backwards compatibility. That is just not
>> acceptable.
>>
> Before this patch, setting pattern outside container will change setting
> in container.
> And after this patch, host and container are separated, they have respective
> setting, and no relationship except the container will copy host's setting
> in create.
>
> If we don't think compatibility, it may be a good idea, the container is only
> allowed to change the core_pattern by itself.
> It is strange that the core_pattern in container was changed but user/process
> in container do nothing.
>
> But just as you said, it have compatibility problem, someone maybe using
> this feature to modify core_pattern in container in host.
>
> To keep the compatibility and allow custom core_pattern in continer,
> maybe we can:
> 1: If no process setting core_pattern in container, the container's
> core_pattern keep same copy with host.
> And if core_pattern in host changed this time, the container's pattern
> changed with host.
> 2: If core_pattern in container changed by some one/process in container,
> it is separated with host, and modification in host will not affect container.
>
> What is your opinion about it?

That sounds correct. Use the core_pattern for the container if it
exists otherwise use a core_pattern for an outer container/host.

>> 2) How should core patterns inside of containers be treated?
>>
>> There are corner cases that I am not thinking of that will cause
>> regressions but I think we can reasonably assume that core patterns
>> are not set inside of containers today. Assuming that is true,
>> then setting a core pattern inside of a container is the only thing
>> that the kernel needs to detect to handle working inside of a
>> container.
>>
>> The practical question I see for this case is which parent process
>> needs to be used for your core dump helper, and which set of
>> namespaces that parent helper has.
>>
>> I will also remind people thinking about these issues that containers
>> can be run recursisvely.
>>
> Got it.
> I'll try to find a way.

Eric

Next message: Len Brown: "Re: [PATCH 0/3] idle, Honor Hardware Disabled States"
Previous message: Len Brown: "Re: [PATCH 1/3] idle, rename MSR_NHM_SNB_PKG_CST_CFG_CTL to MSR_PKG_CST_CONFIG_CONTROL"
In reply to: Zhao Lei: "RE: [PATCH v2 3/3] Make core_pattern support namespace"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]