From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=none (p=none dis=none) header.from=gibson.dropbear.id.au
Authentication-Results: passt.top;
	dkim=pass (2048-bit key; secure) header.d=gibson.dropbear.id.au header.i=@gibson.dropbear.id.au header.a=rsa-sha256 header.s=202602 header.b=RoBPSEz+;
	dkim-atps=neutral
Received: from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])
	by passt.top (Postfix) with ESMTPS id 87F485A0262
	for <passt-dev@passt.top>; Wed, 03 Jun 2026 11:29:52 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gibson.dropbear.id.au; s=202602; t=1780478989;
	bh=f0YDGrB9PfdCHbEzCDhf7BAWDoG1i2dtKW2pIJE8REY=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=RoBPSEz+CTvnk5CTr9kcFYZdmlI6LFhIE9Ch7fkzRqvnTxJZMq2X//81O8shpk5Z1
	 Mx88dCpj/CAXCzr0swqbJuXkCCxI8e8AI1cf2bVv4y5eGE48EW2kDbFhfS47CQczQE
	 TglTzGG+k/tb1MRX0YceIzatT6jbfHPBzDM5RFIXKx/G0Q+E4OFugESx2g65UKJiEu
	 +vpHTcJT5HZTDdxvF9f8/e6yqwVeHxHlf7x9jCnL7mEYyQf7l16SuL2c92biQdojD7
	 CgxPFUoMXtGeLMmfGiKOOp4A0bTQ5nrM/1NMiPb5lTR1s7XnPwb9fvVCkY+ouLI5x8
	 JnNmdphku5Yjg==
Received: by gandalf.ozlabs.org (Postfix, from userid 1007)
	id 4gVj8Y0zMnz4wC8; Wed, 03 Jun 2026 19:29:49 +1000 (AEST)
Date: Wed, 3 Jun 2026 19:29:43 +1000
From: David Gibson <david@gibson.dropbear.id.au>
To: Lisanna Dettwyler <lisanna.dettwyler@gmail.com>
Subject: Re: Startup fd to avoid busywaits
Message-ID: <ah_0B3F3RIkvMuTP@zatzit>
References: <CAC-VXLYqvXu+yHsM=DUt-7MSGp_+o8Wt5zgGYzi1gdNvtoRK-A@mail.gmail.com>
 <20260527213924.2586bca5@elisabeth>
 <CAC-VXLY0EF=W2auTuEA-8pxQCSqNsDcw+nXXqpycJpmQ9E=8dw@mail.gmail.com>
 <CAC-VXLYT837fLwaBGPeVKaL3yUzRvcckqxq=xKWXLgvbZK7fwQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="s5NUjxLMzRYK63U8"
Content-Disposition: inline
In-Reply-To: <CAC-VXLYT837fLwaBGPeVKaL3yUzRvcckqxq=xKWXLgvbZK7fwQ@mail.gmail.com>
Message-ID-Hash: TAOKZCZFXA6IL34GESYBPOCXHK72RVHE
X-Message-ID-Hash: TAOKZCZFXA6IL34GESYBPOCXHK72RVHE
X-MailFrom: dgibson@gandalf.ozlabs.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Stefano Brivio <sbrivio@redhat.com>, passt-dev@passt.top
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/ah_0B3F3RIkvMuTP@zatzit/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/TAOKZCZFXA6IL34GESYBPOCXHK72RVHE/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>


--s5NUjxLMzRYK63U8
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Jun 02, 2026 at 06:23:29PM -0400, Lisanna Dettwyler wrote:
> Hi Stefano,
>=20
> Indeed it would be useful if the capability dropping could be modified or
> moved until after the net and user namespaces were opened. I'm not that
> familiar with the codebase so I'm not sure where would be the best spot f=
or
> that to be moved to or what capability needs to not be dropped.

We certainly could delay the capability drop, but whether it's wise is
a different question.  The longer we leave it, the greater attack
surface we have while still privileged.

Waiting until after the namespaces are opened means we've at least
parsed the command line, which is a fair bit of code.  On the other
hand we shouldn't have opened listening network sockets yet, so we
should have relatively little exposure to either external or guest
traffic.

>=20
> Thanks,
> Lisanna
>=20
> On Tue, Jun 2, 2026 at 2:51=E2=80=AFPM Lisanna Dettwyler <
> lisanna.dettwyler@gmail.com> wrote:
>=20
> > Hi all,
> >
> > Thanks for the detailed replies! It looks like allowing it to daemonize
> > and waiting on the parent works just fine. The comments in the code I
> > linked are from a different developer associated with a fork of Nix, I
> > think for our purposes allowing it to exit on its own is perfectly fine,
> > but I'll check on this.
> >
> > As far as the namespace joining goes, pasta doesn't have permissions to
> > join the namespaces if provided verbatim without the redirection hack, =
but
> > let me get back to you on this also.
> >
> > Thanks,
> > Lisanna
> >
> > On Wed, May 27, 2026 at 3:39=E2=80=AFPM Stefano Brivio <sbrivio@redhat.=
com> wrote:
> >
> >> Hi Lisanna,
> >>
> >> On Wed, 27 May 2026 13:08:01 -0400
> >> Lisanna Dettwyler <lisanna.dettwyler@gmail.com> wrote:
> >>
> >> > Hello! I would like to propose a patch that allows the invoker to pa=
ss a
> >> > "ready fd" on startup that gets written to once the setup has been
> >> > completed, similar to slirp4netns's `--ready-fd` flag. Currently we
> >> have to
> >> > poll the interface in a loop to wait for setup to be completed, and =
it
> >> > would be much better if we could instead block on fd activity.
> >>
> >> As I was implementing the first prototype of pasta, I spotted this in
> >> slirp4netns and I was rather surprised because...
> >>
> >> > Just wanted to check if such a contribution would be welcome before
> >> putting
> >> > in the work of authoring it, or if there's already a better way to w=
ait
> >> for
> >> > the interface to come up.
> >>
> >> ...traditionally, well-behaved UNIX daemons fork to background when
> >> they're ready, and that's what pasta does.
> >>
> >> This fits quite naturally with typical UNIX-like tools and interfaces:
> >> if you want to start pasta (as a daemon) from a script, just do:
> >>
> >>   [whatever comes before]
> >>   pasta
> >>   [whatever comes after, now that pasta is ready]
> >>
> >> Instead of opening a file descriptor, starting a subshell, waiting for
> >> that file descriptor, etc.
> >>
> >> This is how other tools generally start pasta (and passt). Podman calls
> >> exec.Command(), for example:
> >>
> >>
> >> https://github.com/containers/common/blob/a5ccdae846b629b5ceaefa6ffd5c=
6511409c3487/libnetwork/pasta/pasta_linux.go#L71
> >>
> >> > This is our current implementation:
> >> >
> >> https://github.com/NixOS/nix/pull/15919/changes#diff-2a9176262efad1ef3=
45d882b0779646e7a5aaf9ca8db33e9da7fc408594b5377R94-R125
> >>
> >> Ouch, that looks rather painful. :( I read this comment, a bit above:
> >>
> >>     // Bring up pasta, for handling FOD networking. We don't let it
> >> daemonize
> >>     // itself for process managements reasons and kill it manually when
> >> done.
> >>
> >> but it's not clear to me what "process managements reasons" might be.
> >> Maybe we have another way to satisfy those requirements? I tried quite
> >> hard to make it all as simple and as boring as possible.
> >>
> >> About this other comment:
> >>
> >>     // FIXME ideally we want a notification when pasta exits, but we
> >> cannot do
> >>     // this at present [...]
> >>
> >> ...I think ideally the easiest would be to just let pasta terminate by
> >> itself, given that you set up namespaces externally (just like Podman
> >> and Docker/rootlesskit do).
> >>
> >> But pasta can also write a PID file, and you could pidfd_open() on its
> >> PID. I think that would be much cleaner.
> >>
> >> While at it, a bit below:
> >>
> >>             // TODO these redirections are crimes. pasta closes all
> >> non-stdio file
> >>             // descriptors very early and lacks fd arguments for the
> >> namespaces we
> >>             // want it to join. we cannot have pasta join the namespac=
es
> >> via pids;
> >>             // doing so requires capabilities which pasta *also* drops
> >> very early.
> >>
> >> ...actually, pasta explicitly supports joining namespaces via PIDs, I'm
> >> not entirely sure what would prevent it in Nix. Would there be some
> >> capability we need to drop a bit later?
> >>
> >> On that topic, you might be interested in:
> >>
> >>   https://bugs.passt.top/show_bug.cgi?id=3D204
> >>
> >> and, perhaps more importantly, in these points coming from the NixPak /
> >> bubblewrap usage:
> >>
> >>   https://bugs.passt.top/show_bug.cgi?id=3D204#c3
> >>
> >> https://archives.passt.top/passt-user/671252c8-88f6-45b7-b719-b82786e8=
4bb7@gnedt.at/
> >>
> >> I'm not opposed to a --ready-fd (and a --keep-fds) option if that
> >> solves issues for you, of course, but I'd say let's make sure we're not
> >> duplicating existing (maybe more robust?) mechanisms first.
> >>
> >> --
> >> Stefano
> >>
> >>

--=20
David Gibson (he or they)	| I'll have my music baroque, and my code
david AT gibson.dropbear.id.au	| minimalist, thank you, not the other way
				| around.
http://www.ozlabs.org/~dgibson

--s5NUjxLMzRYK63U8
Content-Type: application/pgp-signature; name=signature.asc

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEO+dNsU4E3yXUXRK2zQJF27ox2GcFAmof8/wACgkQzQJF27ox
2Ged5A//SWJXAxcWZXIz3eZK7Rt9z/qVTfdfHONYc/qrT0Pg7teRJ2OD/U9XerOT
ubpRt5Jud3fSKlZeaDfAGHxhuRWJMGhkfIQRCPhUgKLg+JdXvYiITr2CM/6Yn21S
NEI4mhLkiUI1ltMe2FAFnnF7mePNoD3WuScHSwE+qwMl6rPORxFf6Ju8bCaMcgzo
DlS8Rc5jp4trq7zcJhKKZ2yHslF3Juxuq/LvaCE/iLS7v2DO+gTTv4g58/DAa99F
CbVW8zLYmpdWPVfoT/yQVADu1IfwEojXxIV09L+Dv1rHqf1bEwZ/DP6j/nVTuQ4D
kAZ0IMfEJi56n2LpIbUMExe9TBL1hdFQ3gwHIHsc7d/ZReliO2MxQZACTXjoulMV
l9W0YmUIV54S5Do7bM5KK3sC6rmADqojq9MoXnrASxQKt+M0tS3WgE0ApJyNqInx
9ILffvUE96+58t7cVawwv78Q1fivn1sMyAPuqrE90G9uRSCDRwpkjk+PtM5Y4mAC
tnVYg88ANpLzXA+3ISze5cYODIJuIDx5nJpYPwM+oVKRtzeIs4YfHXez4zIm4CI6
v7K7GWQB9BgUs3Vazm+w9Lhy/l1gG+0IrXio8Dqfs0h5wk1lIZRlcUgPhHpu/Z24
JSIYozC+RPiJ/eCVWj5Kq/P7Kn/JnCuHsM2L6km2DbnAbwStqok=
=wcHD
-----END PGP SIGNATURE-----

--s5NUjxLMzRYK63U8--