Am 07.06.2013 17:34, schrieb Daniel P. Berrange:
On Thu, Jun 06, 2013 at 09:13:27AM +0100, Daniel P. Berrange wrote:
> On Thu, Jun 06, 2013 at 10:07:26AM +0200, Richard Weinberger wrote:
>> I'm sure in my case setns() fails because the calling thread did not open()
the ns files itself.
>
> Do you have user namespaces enabled by chance ?
>
>> What is the plan to make lxc-enter-namespace work?
>> Privilege separation is nice but as of now the kernel interface (setns()) seems
not to allow this.
>> Are you forcing the kernel guys to change the interface?
>
> It has long worked fine on Fedora, though we do not have user namespaces
> enabled since parts of the kernel are yet to be ported to that (XFS in
> particular). My best guess is that user namespaces may have caused a
> regression in this ability to call setns() from a separate process.
The problem is actually that you're not allowed to call setns(fd) for a
fd which refers to your current namespace. The fd must refer to a different
namespace. Of course the code is opening the '/proc/$PID/ns/user' file
even though libvirt doesn't give the container a new user namespace. The
simplest fix is to just ignore EINVAL from setns(), since we can't easily
figure out if the calling apps' namespace matches the namespace of the
container.
Thanks a ton for figuring that out!
Thanks,
//richard