2

I'm wondering if it's possible to join two process namespaces in Linux. To demonstrate what I mean, the following is a scenario:

  1. A process runs in its own separate namespace. Let[s call this process A.

  2. Now Process A is doing its thing and I spin up another process B that is isolated within its own separate namespace.

  3. Now process A and process B have their own separate namespace but I wish to "merge" their process namespaces as one. I.e, I want Process B to be able to see A's namespace and send signals/interact with A's processes.

The use case for this is that I ultimately want to attach a container to another running container such that the attached container can interact with the running container.

I have thought about setns() but that won't work because Process B has no idea of Process A's namespace handles (/proc/PID/ns/pid) since it is also in isolation. I am trying to think what the best way to achieve this is from the host system.

This has been implemented in docker here but I can't understand the logic behind it. Some implementation aspects are also discussed here if that helps.

Thanks for your time!

Improve this question

    2 Answers 2

    Reset to default
    3

    When we talk about Linux namespaces we're actually talking about a number of different name spaces, all of which can be set separately:

    1. Process IDs
    2. Shared memory
    3. Networking
    4. Hostname, etc
    5. User IDs
    6. Filesystem

    When a process calls setns() or clone() with the right flags then a new namespace is spawned off with a "fake" view of the world.

    Now this can cause problem if we want to merge them back together again.

    Let's take the "process ID" namespace, because it's an easy one.

    When you create a new PID namespace the first process gets a PID of 1 inside that namespace. If you have two new namespaces then you have two processes that think they are PID 1. If you want to merge them then you have a conflict; only one of them can keep PID 1, you'll have to change the PID of the running process unexpectedly. That could have unexpected consequences.

    Similarly with IPC; two separate chunks of shared memory could have the same address inside their respective namespaces; if we try to merge them then we're going to see memory corruption (even if you changed the address of one segment, the processes would still have the old address).

    So merging two existing namespaces is fraught with peril.

    What the docker patches do is prevent a new namespace from being created when the container is started up. This is different to merging two existing containers; it happens at container start up time.

    Improve this answer
      0

      As far as I know, there's no way to join different process namespaces. setns on a PID namespace only allows a process to spawn children in a different namespace, and that different namespace must be a descendant of the process's namespace, so I don't think this can help you.

      However, in your scenario, it looks like the two namespaces are in closely related trees. So you could do this manipulation from the common ancestor.

      The threads you cite about Docker don't discuss merging namespaces: they're about not creating a child namespace (so it stays all one big namespace).

      Improve this answer
      2
      • Thanks for your response. Could you perhaps be kind enough to give a high level overview of what the thread I linked is actually proposing?
        – user182405
        CommentedAug 1, 2016 at 3:44
      • @user182405 The thread about Docker? Docker normally runs the virtual environment in its own pid namespace. The thread simply proposes to refrain from creating a pid namespace.
        – Gilles 'SO- stop being evil'
        CommentedAug 1, 2016 at 7:45

      You must log in to answer this question.

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.