Re: [PATCH] s6-supervise: Optionally run child in a new pid namespace

From: Olivier Brunel <jjk_at_jjacky.com>
Date: Sat, 15 Jul 2017 22:57:52 +0200

On Sat, 15 Jul 2017 20:24:25 +0000
"John O'Meara" <john.fr.omeara_at_gmail.com> wrote:

> You can achieve a PID namespace (and others) using the unshare
> program from util-linux without patching s6. Put the following at the
> top of your run script:
>
> unshare -fp --mount-proc
>
> this also has the advantage of clearly showing which services are in
> their own namespaces when looking at a ps listing, especially for
> forest views ("ps f" or "s6-ps -H")
>

Though as Jesse explained, this requires some sort of exit/signal
proxing, which isn't the case here. Here the direct child of
s6-supervise remains the daemon itself - in its own pid ns - which is
much better.

As far as showing which services are in their own ns, most namespaces
(i.e. all but pid) won't require a fork and usually you'd get
unshare/nsenter to just exec into the daemon, again to get proper
supervision.

So FWIW I'm very much for this patch myself :) It is a linux-specific
thing, but done as it is w/ a compile-time option this shouldn't be an
issue I'd hope, and it allows simple "proper" supervision of services
running (as pid1) in their own pid ns.

So, thanks Jesse!

Cheers,
Received on Sat Jul 15 2017 - 20:57:52 UTC

This archive was generated by hypermail 2.3.0 : Sun May 09 2021 - 19:38:49 UTC