On Sat, Nov 03, 2012 at 02:03:33PM +0000, Roger Leigh wrote: > On Mon, Aug 15, 2011 at 12:46:31PM +0200, Vincent Bernat wrote: > > Recent Linux kernels allow more advanced isolation than just > > chrooting. From clone(2) manpage, those possibilities exist: > > > > - CLONE_NEWPID: new PID namespace, including the fact that when the > > initial process dies (in case of schroot, this could be the shell), > > all other processes start die as well. This would be a very cool > > feature when starting daemons in the chroot. > > - CLONE_NEWNS: mentioned in bug #488225. > > - CLONE_NEWIPC: new IPC namespace, with complete destruction on exit > > - CLONE_NEWNET: new network namespace, maybe could be done later > > since it needs to be configured properly to be useful. > > - CLONE_NEWUTS: not sure when it is useful > > > > CLONE_NEWPID + CLONE_NEWNS + CLONE_NEWIPC would be great! > > > > I am unsure if this can be done into setup scripts but I will look at > > it. Maybe with an helper? > > On the master branch (1.7.0 development), I've now implemented > initial unshare(2) support. Currently limited to CLONE_NEWNET, > but others can be added easily now the groundwork is done. > > At the moment, as discussed in this report already, the way schroot > handles sessions makes is impractical to support NEWPID and NEWNS. > But I plan longer-term to make this possible, but this requires > fairly significant refactoring. We'd need to make a schroot > session a persistent process you connect to, probably over a > local socket, so that the pid and filesystem namespaces can > persist. This would actually be beneficial for a number of other > reasons, but it's going to be a lot of work, so won't be done > immediately. > > Others that can be implemented immediately: > NEWIPC > CLONE_SYSVSEM > CLONE_NEWUTS
These three are now also done. Definable keys: unshare.net unshare.sysvipc unshare.sysvsem unshare.uts Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
