From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTP id 5B56A5A0082
	for <passt-dev@passt.top>; Thu,  2 Feb 2023 11:25:20 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1675333519;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=cgr/pxrYFEJIlr/n/TJEM1FWuJvi5gCUF+5qiH6Y7Pc=;
	b=S/QQdRM9gxiUF7WcsqWFjXPjqt6hh6wTY11YgZB+wLRZfGqsuxCxpWvoyZvtnx9JgJvLHq
	FA5ZaJubUY17cUGBDAQBzqf1fhwq1WEqeZLryhyhrUS1hmOp+kcN5Uwd1eSjpCbqJOvGTm
	tr4NjDINJn3zQr2iZ1TutewOz5p0yD0=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-552-l-Y7c8tzNcG7dY-iKEYFHA-1; Thu, 02 Feb 2023 05:25:10 -0500
X-MC-Unique: l-Y7c8tzNcG7dY-iKEYFHA-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 5890B185A794
	for <passt-dev@passt.top>; Thu,  2 Feb 2023 10:25:10 +0000 (UTC)
Received: from maya.cloud.tilaa.com (ovpn-208-4.brq.redhat.com [10.40.208.4])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 2189A112132C;
	Thu,  2 Feb 2023 10:25:10 +0000 (UTC)
Date: Thu, 2 Feb 2023 11:25:06 +0100
From: Stefano Brivio <sbrivio@redhat.com>
To: Paul Holzinger <pholzing@redhat.com>
Subject: Re: [PATCH] pasta: wait for netns setup before calling exec
Message-ID: <20230202112506.187d852e@elisabeth>
In-Reply-To: <20230201180116.21281-1-pholzing@redhat.com>
References: <20230201180116.21281-1-pholzing@redhat.com>
Organization: Red Hat
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: QJ2NONPTECGCXQSYPO56CQCXGZ4PPIIR
X-Message-ID-Hash: QJ2NONPTECGCXQSYPO56CQCXGZ4PPIIR
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top
X-Mailman-Version: 3.3.3
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20230202112506.187d852e@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/QJ2NONPTECGCXQSYPO56CQCXGZ4PPIIR/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Wed,  1 Feb 2023 19:01:16 +0100
Paul Holzinger <pholzing@redhat.com> wrote:

> When a user spawns a command with pasta they expect the network to be
> ready. Currently this does not work because pasta will fork/exec
> before it will setup the network config.
> 
> This patch fixes it by using a pipe to sync parent and child. The child
> will now block reading from this pipe before the exec call. The parent
> will then unblock the child only after the netns was configured.

Thanks for the patch! I'm reviewing this in a bit.

A few considerations meanwhile:

- there's actually a bigger issue (you're fixing here) than the
  namespace configuration (via netlink) itself: the tap device isn't
  ready (tap_sock_init() hasn't been called yet) when we spawn the
  command in the new namespace. Oops.

  If you're wondering: we can't just reorder things, because to complete
  the configuration phase (conf()) we need the namespace to be set up,
  and we can't initialise the tap device before it's set up

- pipes are more commonly used to transfer data around (hence the whole
  code you need to open a communication channel, check it, close it).
  Did you try with a signal? Or is there a reason why it wouldn't work?

  You could simply SIGSTOP the child, from the child itself:

	kill(getpid(), SIGSTOP);

  and send a SIGCONT to it (we already store the PID of the child in
  pasta_child_pid) once we're ready.

  SIGCONT is special in that it doesn't need CAP_KILL or the processes
  to run under the same UID -- just in the same session, so it wouldn't
  risk interfering with the isolation_*() calls.

  I haven't tested this but I think it should lead to simpler code.

-- 
Stefano