[buildd-tools-devel] Bug#637870: Bug#637870: Provide more isolation than just chroot

Roger Leigh rleigh at codelibre.net
Sun Nov 4 01:35:27 UTC 2012 

On Sat, Nov 03, 2012 at 02:03:33PM +0000, Roger Leigh wrote:
> On Mon, Aug 15, 2011 at 12:46:31PM +0200, Vincent Bernat wrote:
> > Recent Linux kernels allow more advanced isolation than just
> > chrooting. From clone(2) manpage, those possibilities exist:
> > 
> >  - CLONE_NEWPID: new PID namespace, including the fact that when the
> >    initial process dies (in case of schroot, this could be the shell),
> >    all other processes start die as well. This would be a very cool
> >    feature when starting daemons in the chroot.
> >  - CLONE_NEWNS: mentioned in bug #488225.
> >  - CLONE_NEWIPC: new IPC namespace, with complete destruction on exit
> >  - CLONE_NEWNET: new network namespace, maybe could be done later
> >    since it needs to be configured properly to be useful.
> >  - CLONE_NEWUTS: not sure when it is useful
> > 
> > CLONE_NEWPID + CLONE_NEWNS + CLONE_NEWIPC would be great!
> > 
> > I am unsure if this can be done into setup scripts but I will look at
> > it. Maybe with an helper?
> 
> On the master branch (1.7.0 development), I've now implemented
> initial unshare(2) support.  Currently limited to CLONE_NEWNET,
> but others can be added easily now the groundwork is done.
> 
> At the moment, as discussed in this report already, the way schroot
> handles sessions makes is impractical to support NEWPID and NEWNS.
> But I plan longer-term to make this possible, but this requires
> fairly significant refactoring.  We'd need to make a schroot
> session a persistent process you connect to, probably over a
> local socket, so that the pid and filesystem namespaces can
> persist.  This would actually be beneficial for a number of other
> reasons, but it's going to be a lot of work, so won't be done
> immediately.
> 
> Others that can be implemented immediately:
> NEWIPC
> CLONE_SYSVSEM
> CLONE_NEWUTS

These three are now also done.  Definable keys:

unshare.net
unshare.sysvipc
unshare.sysvsem
unshare.uts


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800

More information about the Buildd-tools-devel mailing list