python-unshare
python-unshare copied to clipboard
NightTsarina
First try at implementing current behaviour of unshare(1)
Hi,
Thanks for your help!
This is a big patch, and I am not sure what some parts of it do. Could you explain a bit?
In particular I am worried about the forking, which might break multithreaded programs. Why is that needed? It should also be mentioned in the docstring.
This is a big patch, and I am not sure what some parts of it do. Could you explain a bit? First the simple parts (not in chronological/patch order):
- python3 support added (and some mask_list to avoid duplication)
- get_nstype: get namespace type of a path
- unbind: unmount a bind-mounted ns path (less useful without 4 below)
The tricky part:
- unshare: add keyword argumments to mimic --ipc=file/--mount=file/ --net=file/--pid=file/--uts=file/--user=file/--cgroup=file flags of unshare (unshare from util-linux 2.30.1)
In particular I am worried about the forking, which might break multithreaded programs. As it is now, the forking should not survive past any of the calls (i.e. the child processes should terminate before the call returns, but of course it migt fail when GIL disappears)
Why is that needed? It should also be mentioned in the docstring. There are currently 4 fork()'s:
-
protected by
if (flags_child): used to do the actual unshare of namespaces that should be bind-mounted to the given paths, this is needed since the paths might not be accessible after the unshare. After the binding has been done, the parent enters the new namespace(s) with an nsenter, and the child should have terminated. -
inside 1 above in case we have a
pid=pathsince this is the only way I have found to make /proc/self/ns/pid_for_child appear (needed for open the path needed by nsenter). -
in case we do a unshare with CLONE_NEWPID without bind-mounting, this will make /proc/self/ns/pid_for_child for the parent process (probably not strictly needed, except for the test program).
-
Handling pre 4.11 systems that does not have the NS_GET_NSTYPE ioctl