lsns: show namespaces only kept alive by open file descriptors

[hesch]

Following #1881 I updated an old question around the topic on serverfault and A.B noticed, that there is one case missing as stated in his comment.

It can happen, that a namespace is only kept alive by an open file descriptor of a program as ilustrated by A.B:

• ip netns add foo add a namespace
• sleep 999 4< /run/netns/foo & sleep 2 open the fd to the namespace in a background job
• ip netns delete foo delete the namespace (only deletes the /run/netns/foo)

Now there exists a namespace with no process running in it and it has no bind mount so it does not show up in /proc/mounts, but it is still there and could be mounted back.

To me this seems to be a rather esoteric case, but if we want to show every namespace, these namespaces should be included.

[brauner]

It's not that esoteric tbh. We keep namespaced alive by pinning them via stashed fds in container runtimes such as @lxc or even in @systemd's nspawn. :)

[masatake]

I expected that /proc/$pid/fdinfo/4 provides enough information for lsns.
However, it doesn't. lsns must do ioctl(4, NS_GET_*,...) .

Do we want to add code for scanning all fds of all processes to find nsfs files to lsns?

lsfd can take over the scanning tasks:

# lsfd -Q '(SOURCE == "nsfs") and (FD >= 0)'
COMMAND            PID USER ASSOC MODE TYPE SOURCE MNTID      INODE NAME
NetworkManager    1114 root     8  r--  REG   nsfs     3 4026531840 net:[4026531840]
NetworkManager    1114 root     9  r--  REG   nsfs     3 4026532758 mnt:[4026532758]
podman         1532759 root     7  r--  REG   nsfs  1546 4026533029 /run/netns/netns-4f5ecc46-d6a0-175c-46a8-2e4ba180b94a
sleep          2187484  jet     4  r--  REG   nsfs   901 4026533221 /
# lsfd -o PID,FD,INODE --json  -Q '(SOURCE == "nsfs") and (FD >= 0)'
{
   "lsfd": [
      {
         "pid": 1114,
         "fd": 8,
         "inode": 4026531840
      },{
         "pid": 1114,
         "fd": 9,
         "inode": 4026532758
      },{
         "pid": 1532759,
         "fd": 7,
         "inode": 4026533029
      },{
         "pid": 2187484,
         "fd": 4,
         "inode": 4026533221
      }
   ]
}

If lsns has a JSON parser, utilizing the output of lsfd may be easy.
The current lsfd can provide the only above information, but I can let lsfd do the ioctls to give more information to lsns. In this use case, lsfd doesn't have to scan memory mapping, so that we can improve the performance a bit.

[karelzak]

It sounds like overkill to use JSON (serialize and parse) to share data between utils the same package (util-linux). It will not save code (you need to maintain JSON parser) and will not save CPU time (still need to read it from /proc).

lsns already scans /proc, so all we need is readdir for /proc/#/fd/ and stat() to get st_dev (to check for nsfs) for symlinks that point to /. Yes, this is a pretty expensive way how to filter the FDs, but I guess it will be faster than calling NS_GET_ for everything.

[masatake]

@karelzak Could you assign this to me? I made a prototype of the algorithm you wrote.

[masatake]

Implemented. However, for testing the new code, I wanted to have -Q option in lsns. I'm also working on adding -Q option. A prototype runs:

# ./lsns  -Q 'TYPE == "net" and ( USER != "yamato" and USER != "rtkit" and USER != "polkitd")'                                 
        NS TYPE NPROCS   PID USER COMMAND
4026531840 net     680     1 root /usr/lib/systemd/systemd --switched-root --system --deserialize=36
4026533447 net       1  1897 root ├─gpm -m /dev/input/mice -t exps2
4026533515 net       1  1890 root ├─/usr/libexec/low-memory-monitor
4026533664 net       1 11651 root └─/usr/libexec/accounts-daemon