Kirill Tkhai <ktk...@virtuozzo.com> wrote:
> Pablo, Florian, could you please provide comments on this?
> 
> On 09.04.2018 19:55, Kirill Tkhai wrote:
> > In CRIU and LXC-restore we met the situation,
> > when iptables in container can't be restored
> > because of permission denied:
> > 
> > https://github.com/checkpoint-restore/criu/issues/469
> > 
> > Containers want to restore their own net ns,
> > while they may have no their own mnt ns.
> > This case they share host's /run/xtables.lock
> > file, but they may not have permission to open
> > it.
> > 
> > Patch makes /run/xtables.lock to be per-namespace,
> > i.e., to refer to the caller task's net ns.

It looks ok to me but then again the entire userspace
lock thing is a ugly band aid :-/

Reply via email to