Apache Mesos
Functions
ns Namespace Reference

Functions

Try< int > nstype (const std::string &ns)
 
std::set< std::string > namespaces ()
 
std::set< int > nstypes ()
 
Try< Nothingsetns (const std::string &path, const std::string &ns, bool checkMultithreaded=true)
 
Try< Nothingsetns (pid_t pid, const std::string &ns)
 
Result< ino_t > getns (pid_t pid, const std::string &ns)
 
Try< pid_tclone (pid_t target, int nstypes, const lambda::function< int()> &f, int flags)
 Performs an os::clone after entering a set of namespaces for the specified target process. More...
 
std::string stringify (int flags)
 

Function Documentation

Try<pid_t> ns::clone ( pid_t  target,
int  nstypes,
const lambda::function< int()> &  f,
int  flags 
)

Performs an os::clone after entering a set of namespaces for the specified target process.

This function provides two steps of functionality: (1) Enter a set of namespaces via two fork calls. (1) Perform a clone within that set of namespaces.

Step (1) of functionality is similar to the nsenter command line utility. Step (2) allows us to perform a clone that itself might create a nested set of namespaces, which enables us to have nested containers.

Double Fork:

In order to enter a PID namespace we need to do a double fork because doing a setns for a PID namespace only effects future children.

Moreover, attempting to setns before we do any forks and then have the parent setns back to the original namespaces does not work because entering a depriviledged user namespace will not let us reassociate back with the original namespace, even if we keep the file descriptor of the original namespace open.

Because we have to double fork we need to send back the actual PID of the final process that's executing the provided function f. We use domain sockets for this because in the event we've entered a PID namespace we need the kernel to translate the PID to the PID in our PID namespace.

Parameters
targetTarget process whose namespaces we should enter.
nstypesNamespaces we should enter.
fFunction to invoke after entering the namespaces and cloning.
flagsFlags to pass to clone.
Returns
pid_t of the child process.
Result<ino_t> ns::getns ( pid_t  pid,
const std::string &  ns 
)
std::set<std::string> ns::namespaces ( )
Try<int> ns::nstype ( const std::string &  ns)
std::set<int> ns::nstypes ( )
Try<Nothing> ns::setns ( const std::string &  path,
const std::string &  ns,
bool  checkMultithreaded = true 
)
Try<Nothing> ns::setns ( pid_t  pid,
const std::string &  ns 
)
std::string ns::stringify ( int  flags)