Kirill Tkhai <ktk...@virtuozzo.com> wrote: > Pablo, Florian, could you please provide comments on this? > > On 09.04.2018 19:55, Kirill Tkhai wrote: > > In CRIU and LXC-restore we met the situation, > > when iptables in container can't be restored > > because of permission denied: > > > > https://github.com/checkpoint-restore/criu/issues/469 > > > > Containers want to restore their own net ns, > > while they may have no their own mnt ns. > > This case they share host's /run/xtables.lock > > file, but they may not have permission to open > > it. > > > > Patch makes /run/xtables.lock to be per-namespace, > > i.e., to refer to the caller task's net ns.
It looks ok to me but then again the entire userspace lock thing is a ugly band aid :-/