From mboxrd@z Thu Jan 1 00:00:00 1970 Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: passt.top; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20251104 header.b=dm8eT0UX; dkim-atps=neutral Received: from mail-yx1-xb131.google.com (mail-yx1-xb131.google.com [IPv6:2607:f8b0:4864:20::b131]) by passt.top (Postfix) with ESMTPS id 340CF5A0269 for ; Wed, 03 Jun 2026 00:23:42 +0200 (CEST) Received: by mail-yx1-xb131.google.com with SMTP id 956f58d0204a3-6608c1a4215so102458d50.0 for ; Tue, 02 Jun 2026 15:23:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780439021; cv=none; d=google.com; s=arc-20240605; b=YhUMaqAkcvaxLXqbcanEMJWJZDZb1oNHYj9b0JqoOgqUgAYWN+Ze4Kt4WDTnlnnWej SihCyV96anJRJUR17I9AnQgyGiw2Ugez3nUvsUk37XU4TjjJQ+HpCJWzXKMHmalFJHJN tBoaCzcezOQOLT6VIW7ac6zBvAIGc3NKAunmNYB+4Kdr9ugsCc+epgYVICA//mal5CpR EasMllko2P+PMUWPfPTiDbcBbX/ONi89zLnxBBauaOBAOnRuo0R+bUAjSPG4hV5ZxYWN I5Uw7CF1QAdHNw7TbGtNR+E2ASHz6JuXISCxZz6mh8RFAtZz1awfX5iPxqZ/GP34qiys nTzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=yjW0j43fgm9PNwKwmu9VnUfc+oS2jiflxXHxmKNpyhI=; fh=htis3z6nDPD3FFPmKX7SGQyhLv1B9tDlnJYWrC8d10o=; b=aFkp7urAscYdCf7R6HaHvFHbAMP+ZGSDx+vPHopp8LpEWvwN6hxK7bQFVx/FhR6uj2 jQwyN3YWbhB2nRMoO6xKqrwAhOVOWQIAefNhOH0kjcL88KyUrTgXk/FNxzbDZUuqXy6U SinhKqOckRPaCRb54mo2/UsFW8jqYWJ+YR/W/ymWbtGKW88+w98gtBPlUnJd/ZOdvyD+ NsQtUFXxYjYdLIbtyT3XM9LjnZc3je5euB21nrpfJOD6YS3e9mzS6I9Q/Elc1WmVRBvh 07lB+3ejDFMc9KYwPpylO7pyiGU5NcItAJ9ryq/KB2NkB7VP3ob8wKTOVai52i/w28BK dWAQ==; darn=passt.top ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780439021; x=1781043821; darn=passt.top; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=yjW0j43fgm9PNwKwmu9VnUfc+oS2jiflxXHxmKNpyhI=; b=dm8eT0UXD9Y2cFI0xZB4ivsGZWtGqGNxRiwPlbwA7iJ3Nv3FFLijkxEcfgltRekvGW s6zCDH6JgA+SeUHxR/HnDPGr6/jOc5AwqJ8MfqOO+Yt7liCBaROItzhxxQxLLo9FuUfg pKAkSq/UmOnC3mz6yf9ZKLYRXYawC698fE0DorukEQ5QFThPIqiyMa82L3dozc4hvH00 FsNtSYKZtPrfdQR8DZ1U9h2MnLYl5D0DjZgB5St6qC7iP5Xv/38vGNGlAf4XwbYtQAP9 JhRx504JYKIWg/eLupX44w52xB8ywnuRYjaf36DTArex/HoKfZoPtO8X5zYJ79x5TH5l s4Xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780439021; x=1781043821; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yjW0j43fgm9PNwKwmu9VnUfc+oS2jiflxXHxmKNpyhI=; b=YRcgf9GRGwcQfm4ZWv5Ql9Fowoc8Qfqm/JKYsB26mDNz2+C8AvTybjmq11IE/2IVHx FNqfsMDyGdMuBIZqAi5ebsE+8R3HmnoGps+Cn/CNVb42Tr114ruFxt+UGcDCvyMLlJUO omMrlkTAbLSQyt0Nfw/hq8oYxqdHpb5NccbqEUnORALyx5io71Ghi1Y/w0FWf77NOsTX x//VsTOCFV4L255TSJ/IP+2qI9S53Y/M9AG35QX/9mHTQ5jjK3QdIkte2Z2NGSUSUq+h WSeKsEBzy/Rfl4dT3+ObhMFv5HcRHjP6PEHhbjOwghv5uT1P9Y1XFJhzWMI6KmeqAlGH Wv2g== X-Gm-Message-State: AOJu0Yw8t/9LBxKAhwHRx6rzgxU9biXGUD2TCXXV/d5DE73RILaaR8Nr vH8btUHwEzq5auCEoNJKEjsPaUbEG2QYjBkTSX9EdQNA41o1opbR6U0EB93JXxOo+2E6ozdPBsM MoaaxgBtI9gFnT3/yIHpzI1M3xGkqeMJgww== X-Gm-Gg: Acq92OFR0sTNNQ937MRZ7yknwLkxsLfbWJHApUS2Xjk0EUMw+Q5PUR1aAOyzi2inr2w GtorcxgtEMMoz3rhWw8gctlCGnMpUoTusEOqOEGHPlcryW/EA1kAOIribLEQ8dQenW4qhU/OiC3 lkzrZ+APkdUy3ReLtAaPg34Z1pNbEAw6Oajteut6vPPHunBU+8plI1UQFd3czQFd5+jJX5ORJa6 GIQB6rrCCujUfMvmirqcmX5pMHt+xJdj6iNaGWxhkahLXzlj0fKe5fMhHv76Wi12VIxUg2GXIez +T4ZNFipgNp3zZda54GCDsNvPAMivOALUFQ5NrG1a9jVkm+pcM4= X-Received: by 2002:a05:690e:4390:b0:660:6cf7:e7ae with SMTP id 956f58d0204a3-660dc833152mr414700d50.6.1780439020846; Tue, 02 Jun 2026 15:23:40 -0700 (PDT) MIME-Version: 1.0 References: <20260527213924.2586bca5@elisabeth> In-Reply-To: From: Lisanna Dettwyler Date: Tue, 2 Jun 2026 18:23:29 -0400 X-Gm-Features: AVHnY4IPXS0qjtxazdP3MTDlwRCT4Duv3c06sGPya19VRgcx8_CUyNFsZhZYw2s Message-ID: Subject: Re: Startup fd to avoid busywaits To: Stefano Brivio Content-Type: multipart/alternative; boundary="00000000000061c33a06534cc30b" X-MailFrom: lisanna.dettwyler@gmail.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: VIW7X22DRDP5HJ66DB4ZJEEH4476TBZQ X-Message-ID-Hash: VIW7X22DRDP5HJ66DB4ZJEEH4476TBZQ X-Mailman-Approved-At: Wed, 03 Jun 2026 00:45:00 +0200 CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --00000000000061c33a06534cc30b Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Stefano, Indeed it would be useful if the capability dropping could be modified or moved until after the net and user namespaces were opened. I'm not that familiar with the codebase so I'm not sure where would be the best spot for that to be moved to or what capability needs to not be dropped. Thanks, Lisanna On Tue, Jun 2, 2026 at 2:51=E2=80=AFPM Lisanna Dettwyler < lisanna.dettwyler@gmail.com> wrote: > Hi all, > > Thanks for the detailed replies! It looks like allowing it to daemonize > and waiting on the parent works just fine. The comments in the code I > linked are from a different developer associated with a fork of Nix, I > think for our purposes allowing it to exit on its own is perfectly fine, > but I'll check on this. > > As far as the namespace joining goes, pasta doesn't have permissions to > join the namespaces if provided verbatim without the redirection hack, bu= t > let me get back to you on this also. > > Thanks, > Lisanna > > On Wed, May 27, 2026 at 3:39=E2=80=AFPM Stefano Brivio wrote: > >> Hi Lisanna, >> >> On Wed, 27 May 2026 13:08:01 -0400 >> Lisanna Dettwyler wrote: >> >> > Hello! I would like to propose a patch that allows the invoker to pass= a >> > "ready fd" on startup that gets written to once the setup has been >> > completed, similar to slirp4netns's `--ready-fd` flag. Currently we >> have to >> > poll the interface in a loop to wait for setup to be completed, and it >> > would be much better if we could instead block on fd activity. >> >> As I was implementing the first prototype of pasta, I spotted this in >> slirp4netns and I was rather surprised because... >> >> > Just wanted to check if such a contribution would be welcome before >> putting >> > in the work of authoring it, or if there's already a better way to wai= t >> for >> > the interface to come up. >> >> ...traditionally, well-behaved UNIX daemons fork to background when >> they're ready, and that's what pasta does. >> >> This fits quite naturally with typical UNIX-like tools and interfaces: >> if you want to start pasta (as a daemon) from a script, just do: >> >> [whatever comes before] >> pasta >> [whatever comes after, now that pasta is ready] >> >> Instead of opening a file descriptor, starting a subshell, waiting for >> that file descriptor, etc. >> >> This is how other tools generally start pasta (and passt). Podman calls >> exec.Command(), for example: >> >> >> https://github.com/containers/common/blob/a5ccdae846b629b5ceaefa6ffd5c65= 11409c3487/libnetwork/pasta/pasta_linux.go#L71 >> >> > This is our current implementation: >> > >> https://github.com/NixOS/nix/pull/15919/changes#diff-2a9176262efad1ef345= d882b0779646e7a5aaf9ca8db33e9da7fc408594b5377R94-R125 >> >> Ouch, that looks rather painful. :( I read this comment, a bit above: >> >> // Bring up pasta, for handling FOD networking. We don't let it >> daemonize >> // itself for process managements reasons and kill it manually when >> done. >> >> but it's not clear to me what "process managements reasons" might be. >> Maybe we have another way to satisfy those requirements? I tried quite >> hard to make it all as simple and as boring as possible. >> >> About this other comment: >> >> // FIXME ideally we want a notification when pasta exits, but we >> cannot do >> // this at present [...] >> >> ...I think ideally the easiest would be to just let pasta terminate by >> itself, given that you set up namespaces externally (just like Podman >> and Docker/rootlesskit do). >> >> But pasta can also write a PID file, and you could pidfd_open() on its >> PID. I think that would be much cleaner. >> >> While at it, a bit below: >> >> // TODO these redirections are crimes. pasta closes all >> non-stdio file >> // descriptors very early and lacks fd arguments for the >> namespaces we >> // want it to join. we cannot have pasta join the namespaces >> via pids; >> // doing so requires capabilities which pasta *also* drops >> very early. >> >> ...actually, pasta explicitly supports joining namespaces via PIDs, I'm >> not entirely sure what would prevent it in Nix. Would there be some >> capability we need to drop a bit later? >> >> On that topic, you might be interested in: >> >> https://bugs.passt.top/show_bug.cgi?id=3D204 >> >> and, perhaps more importantly, in these points coming from the NixPak / >> bubblewrap usage: >> >> https://bugs.passt.top/show_bug.cgi?id=3D204#c3 >> >> https://archives.passt.top/passt-user/671252c8-88f6-45b7-b719-b82786e84b= b7@gnedt.at/ >> >> I'm not opposed to a --ready-fd (and a --keep-fds) option if that >> solves issues for you, of course, but I'd say let's make sure we're not >> duplicating existing (maybe more robust?) mechanisms first. >> >> -- >> Stefano >> >> --00000000000061c33a06534cc30b Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Stefano,

Indeed it would be useful i= f the capability dropping could be modified or moved until after the net an= d user namespaces were opened. I'm not that familiar with the codebase = so I'm not sure where would be the best spot for that to be moved to or= what capability needs to not be dropped.

Thanks,<= /div>
Lisanna

On Tue, Jun 2, 2026 at 2:51=E2= =80=AFPM Lisanna Dettwyler <lisanna.dettwyler@gmail.com> wrote:
Hi all,

T= hanks for the detailed replies! It looks like allowing it to daemonize and = waiting on the parent works just fine. The comments in the code I linked ar= e from a different developer associated with a fork of Nix, I think for our= purposes allowing it to exit on its own is perfectly fine, but I'll ch= eck on this.

As far as the namespace joining goes,= pasta doesn't have permissions to join the namespaces if provided verb= atim without the redirection hack, but let me get back to you on this also.= =C2=A0

Thanks,
Lisanna

On Wed, May = 27, 2026 at 3:39=E2=80=AFPM Stefano Brivio <sbrivio@redhat.com> wrote:
Hi Lisanna,

On Wed, 27 May 2026 13:08:01 -0400
Lisanna Dettwyler <lisanna.dettwyler@gmail.com> wrote:

> Hello! I would like to propose a patch that allows the invoker to pass= a
> "ready fd" on startup that gets written to once the setup ha= s been
> completed, similar to slirp4netns's `--ready-fd` flag. Currently w= e have to
> poll the interface in a loop to wait for setup to be completed, and it=
> would be much better if we could instead block on fd activity.

As I was implementing the first prototype of pasta, I spotted this in
slirp4netns and I was rather surprised because...

> Just wanted to check if such a contribution would be welcome before pu= tting
> in the work of authoring it, or if there's already a better way to= wait for
> the interface to come up.

...traditionally, well-behaved UNIX daemons fork to background when
they're ready, and that's what pasta does.

This fits quite naturally with typical UNIX-like tools and interfaces:
if you want to start pasta (as a daemon) from a script, just do:

=C2=A0 [whatever comes before]
=C2=A0 pasta
=C2=A0 [whatever comes after, now that pasta is ready]

Instead of opening a file descriptor, starting a subshell, waiting for
that file descriptor, etc.

This is how other tools generally start pasta (and passt). Podman calls
exec.Command(), for example:

=C2=A0 https://github.com/containers/common/blob/a5ccdae8= 46b629b5ceaefa6ffd5c6511409c3487/libnetwork/pasta/pasta_linux.go#L71
> This is our current implementation:
> https://github.com/NixOS/nix/pull/15919/chang= es#diff-2a9176262efad1ef345d882b0779646e7a5aaf9ca8db33e9da7fc408594b5377R94= -R125

Ouch, that looks rather painful. :( I read this comment, a bit above:

=C2=A0 =C2=A0 // Bring up pasta, for handling FOD networking. We don't = let it daemonize
=C2=A0 =C2=A0 // itself for process managements reasons and kill it manuall= y when done.

but it's not clear to me what "process managements reasons" m= ight be.
Maybe we have another way to satisfy those requirements? I tried quite
hard to make it all as simple and as boring as possible.

About this other comment:

=C2=A0 =C2=A0 // FIXME ideally we want a notification when pasta exits, but= we cannot do
=C2=A0 =C2=A0 // this at present [...]

...I think ideally the easiest would be to just let pasta terminate by
itself, given that you set up namespaces externally (just like Podman
and Docker/rootlesskit do).

But pasta can also write a PID file, and you could pidfd_open() on its
PID. I think that would be much cleaner.

While at it, a bit below:

=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 // TODO these redirections are cr= imes. pasta closes all non-stdio file
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 // descriptors very early and lac= ks fd arguments for the namespaces we
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 // want it to join. we cannot hav= e pasta join the namespaces via pids;
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 // doing so requires capabilities= which pasta *also* drops very early.

...actually, pasta explicitly supports joining namespaces via PIDs, I'm=
not entirely sure what would prevent it in Nix. Would there be some
capability we need to drop a bit later?

On that topic, you might be interested in:

=C2=A0 https://bugs.passt.top/show_bug.cgi?id=3D204<= br>
and, perhaps more importantly, in these points coming from the NixPak /
bubblewrap usage:

=C2=A0 https://bugs.passt.top/show_bug.cgi?id=3D204#c= 3
=C2=A0 https://a= rchives.passt.top/passt-user/671252c8-88f6-45b7-b719-b82786e84bb7@gnedt.at/=

I'm not opposed to a --ready-fd (and a --keep-fds) option if that
solves issues for you, of course, but I'd say let's make sure we= 9;re not
duplicating existing (maybe more robust?) mechanisms first.

--
Stefano

--00000000000061c33a06534cc30b--