Attaching file descriptors to processes with CLONE_FD

The classic Unix system design has many advantages, but friendliness to library code is not always one of them. The problem, at its core, is the use of global structures and mechanisms that cannot be manipulated independently by an application and any libraries it may use; the file descriptor table and signal handling vectors are a couple of examples. A recently posted patch set is trying to address a little piece of this problem, but may point the way toward a larger long-term change in how processes are managed in Linux.

Consider a library that needs to create a child process with fork() and be notified when that process exits. The library cannot call wait() without blocking the entire calling process and, possibly, interfering with the reaping of any child processes created elsewhere in the application. Receiving asynchronous notifications with the SIGCHLD signal has a similar problem: there can only be one SIGCHLD handler, so catching it in the library clashes with the application's use of that signal. The need to avoid this kind of conflict with application code can greatly limit what can be done within a library.

Josh Triplett's CLONE_FD patch set is an attempt to solve that particular problem. It adds a new flag, CLONE_FD, to a variant of the clone() system call (called clone4()); if that flag is present, a successful clone4() will return a file descriptor referring to the process it just created. There is little that can be done with that descriptor by default, but, if the CLONE_AUTOREAP flag is also set, the system's behavior changes somewhat.

In particular, when a process created with CLONE_AUTOREAP exits, it will be cleaned up immediately rather than sitting in the "zombie" state until the parent process gets around to calling wait(). This behavior can be useful in its own right if the parent process is not concerned about when the child exits. If the parent does care about its child's exit, though, it can create a process file descriptor with CLONE_FD; that descriptor will become readable when the process exits. In particular, it will be possible to read a structure like:

    struct clonefd_info {
	uint32_t code;   /* Signal code */
	uint32_t status; /* Exit status or signal */
	uint64_t utime;  /* User CPU time */
	uint64_t stime;  /* System CPU time */
    };

With this mechanism in place, a library function can create a process and wait for it to complete without interfering with process management anywhere else in the program. It thus solves the problem of having to share the machinery for managing process exit information by removing that sharing and, essentially, turning a running process into a sort of "file" that can be tracked and managed exclusively by the code that knows about it.

There was one tiny little problem in the way of implementing this solution, though: there is no room for additional flags for the clone() system call. So Josh had to create a new one, which he called clone4(). The intended interface, as presented by the C library, is:

    int clone4(uint64_t flags, size_t args_size, struct clone4_args *args,
               int (*fn)(void *), void *arg);

The flags field holds the flags to the operation: the traditional clone() flags and the new ones described above. As with clone(), the child process will call fn(arg) after its creation. The args argument looks like this:

    struct clone4_args {
	pid_t *ptid;
	pid_t *ctid;
	unsigned long stack_start;
	unsigned long stack_size;
	unsigned long tls;
	int *clonefd;
	unsigned clonefd_flags;
    };

Most of these fields match arguments passed to the clone() call; they have just been moved into a separate structure. The clonefd and clonefd_flags fields are new, though; the first is a location to store the created file descriptor when CLONE_FD is passed; the second can hold the O_CLOEXEC and O_NONBLOCK flags to be applied to that file descriptor.

The size of the clone4_args structure must be passed separately in args_size. If fields must be added to this structure in the future, the passed size will allow the kernel to determine which version of the structure is in use and respond accordingly.

For completeness, the actual system call (invoked from the C library wrapper) looks like this:

    int clone4(unsigned flags_high, unsigned flags_low,
               unsigned long args_size,
               struct clone4_args *args);

At this level, clone4() behaves like fork(), returning into both the parent and child processes (but with different return values).

This functionality is useful enough, but the patch description also includes this intriguing note:

Process IDs (PIDs) are subject to a narrow race condition: a process could exit and be replaced by another using the same PID. In a system where there are many processes running and there is a lot of fork activity, the probability of short-term PID reuse is significant, especially if, as is usually the case, the range of available PIDs has not been increased beyond the traditional 32,768. A file descriptor that is attached to a process at creation time is not subject to this race, though; it should thus be safer for other processes to operate on.

Adding file-descriptor-oriented process-management system calls is a future exercise, though; for now, the CLONE_FD functionality solves the immediate problem. This patch has been through two rounds of review so far; some significant changes have been made, but the core functionality seems to be uncontroversial. One more review round seems likely to happen, though; after that, this feature could conceivably be added as early as the 4.2 development cycle.

Index entries for this article
Kernel	System calls/clone()

---

to post comments

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 1:27 UTC (Thu) by roc (subscriber, #30627) [Link] (4 responses)

Wow, just yesterday I was fighting pid-related bugs in rr and wishing for a feature exactly like this!

Even when you're not writing a library and not worried about malicious pid-wraparound attacks, wrangling pids and making sure that you wait exactly once on every child is an enormous pain. Not to mention trying to mix-and-match 'waitpid' with other kinds of waiting.

Please integrate ptrace into this and give us a reliable way to detach-and-kill a process, or better yet, specific threads!

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 5:06 UTC (Thu) by josh (subscriber, #17465) [Link] (3 responses)

ptrace is one of many APIs that ought to work on something other than PIDs, yeah. On the other hand, ptrace's API really needs a complete overhaul, not just a small patch.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 7, 2015 11:58 UTC (Tue) by nix (subscriber, #2304) [Link]

Yes indeed, but ptrace() is extra-annoying in that not only does it work on a thread-by-thread basis (so that only the thread that attached / seized can do anything), not only is its only existing interface waitpid() (waitid() throws away ptrace()-critical information and cannot be used!), but the ptrace-related waitpid() responses *only come to the attached thread*. This makes writing threaded programs that use ptrace, or programs that use ptrace and want to do anything else concurrently at all, a real nightmare.

There was an old waitfd() patch from Casey Dahlin that endeavoured to fix this back in 2009 (by providing a pollable fd corresponding to waitpid() results), but it was rejected on the grounds that anything you could do with waitfd() you could just do by creating a new thread and waitpid()ding from that. Because of ptrace(), this is untrue.

I reanimated this patchset for the Oracle Enterprise Kernel, but I'd be ever so glad to throw it out and use something better instead :) it has some kludges in it I am not at all proud of.

Attaching file descriptors to processes with CLONE_FD

Posted Jun 15, 2015 13:12 UTC (Mon) by tromey (guest, #49192) [Link] (1 responses)

As a former gdb developer, I'd like to say that while ptrace could use an overhaul, at the same time waiting for a total overhaul is letting the perfect be the enemy of the good. In practical terms the biggest problem with ptrace is the reporting interface, not the requesting interface. Having a PTRACE_FD request to get a file descriptor that gets status reports from the kernel would be a big improvement. It would let gdb avoid clashes with libraries that also want to muck with SIGCHLD and wait*.

Attaching file descriptors to processes with CLONE_FD

Posted Jun 16, 2015 15:05 UTC (Tue) by nix (subscriber, #2304) [Link]

Agreed! Hell, I had to pile a variant of the old waitfd() API into the oracle enterprise kernel for the sake of *one program* that wanted to do ptrace() waits while also waiting on a message-passing fd from elsewhere. No point sending it upstream -- it was already rejected on the grounds that you can always just waitpid() from another thread. Not if the waitpid() is waiting for ptrace() results you can't.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 1:43 UTC (Thu) by javispedro (guest, #83660) [Link] (6 responses)

This seems similar to Win32's CreateProcess returning a (refcounted) handle to the process. It's interesting that the design of Linux seems to be evolving towards making FDs work like handles (e.g. anon inodes getting more use). Not saying it's a bad thing; in fact I find I prefer this approach.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 3:34 UTC (Thu) by wahern (subscriber, #37304) [Link] (5 responses)

Evolving? PIDs were always inconsistent in the sense that most resources on Unix were managed as file descriptors.

This simply makes things more consistent.

Does Windows permit sending handles between unrelated processes? Because presumably you'll be able to do that with this, which open ups all manner of possibilities for process management which don't involve cgroups or a global process manager.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 3:45 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

> Does Windows permit sending handles between unrelated processes?
Yes, although there are some issues with the required security access level.

> Because presumably you'll be able to do that with this, which open ups all manner of possibilities for process management which don't involve cgroups or a global process manager.
Well, you still have to track process hierarchies and your child processes may very well wish to use the classic Unix process management utilities. Besides, cgroups controllers offer significant additional functionality.

But it's not a question of choosing one of them. Descriptor-based process management will allow to do lots of clever stuff in conjunction with cgroups.

For example, right now it's pretty darn impossible to find out which cgroup caused an OOM killer to go on a rampage. It's not even possible to reliably know _what_ was killed (Go on, try it, I dare you!). So serious cgroups users often have to reimplement the OOM killer themselves.

And it actually kinda makes sense - you can't simply pass a PID of a killed process to a cgroup-based controller, since it might be reaped. But with real descriptor-based process management such scenarios are extremely simple.

Next on my things-UNIX-should-have-had-from-the-start list: /dev-based network device management.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 8:56 UTC (Thu) by fishface60 (subscriber, #88700) [Link] (1 responses)

If we're compiling a wishlist, can we separate mount into loadfs and attach, and have an unmount that works on file descriptors, so we can detach filesystems that have been mounted on top of.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 17:27 UTC (Thu) by josh (subscriber, #17465) [Link]

Something like that was the proposal at Kernel Summit from Al Viro: separating mount into a call that opens the filesystem type (such as ext4) and then a (potentially filesystem-specific) call to feed in parameters and mount that filesystem.

I also think it'd make sense to have that second call return a directory file descriptor, which can be used with openat without mounting it, and then feed that to a call like bindmount() (which would also be used for bind mounts, by opening a directory and feeding it in as the dirfd).

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 5:09 UTC (Thu) by javispedro (guest, #83660) [Link]

> Evolving? PIDs were always inconsistent in the sense that most resources on Unix were managed as file descriptors.
Well, "everything is a file" resources certainly are, but e.g. mutexes, timers, threads, processes, etc. are not (see win32). Oh wait, there's timerfd now... so yeah, I'd said it's been changing.

> Because presumably you'll be able to do that with this, which open ups all manner of possibilities for process management which don't involve cgroups or a global process manager.
I agree; this makes much of cgroups redundant. Obviously all of the current cgroups functionality needs to be adapted. I just wish the decision to go with process handles was made _before_ the design of cgroups.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 5:26 UTC (Thu) by josh (subscriber, #17465) [Link]

> Because presumably you'll be able to do that with this, which open ups all manner of possibilities for process management which don't involve cgroups or a global process manager.

Yeah, that thought crossed our minds as well. Just for one random example, imagine if you had an inotify-like API that let you receive a new file descriptor every time a process you have a file descriptor for forks a new process. With that alone, you can manage a whole family of child processes without using cgroups.

And yes, it's possible to send a clonefd over a UNIX socket to some other process, for fun and hijinks. :)

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 1:54 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (29 responses)

I totally love this. Now I would be able to do epoll() loops without the usual write-to-pipe-from-SIGCHLD trick or the ugly epoll_pwait.

A small note, though: clonefd_info needs to have size and version fields for future extensions.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 3:24 UTC (Thu) by wahern (subscriber, #37304) [Link] (2 responses)

There was always signalfd. However, signalfd requires the signal to be blocked, and only one signalfd will receive the event, so it's not something you could use from a library. But neither can a library install a SIGCHLD handler if it wanted to avoid changing global state.

Kqueue EVFILT_SIGNAL notifies all listeners, whether or not the signal was delivered or blocked. That's nicer, but definitely not as nice as a process FD.

Note that according to the original thread they've made sure to make this useable as a primitive to implement Capsicum's pdfork, which FreeBSD has.

All in all this is a very welcome feature.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 15:51 UTC (Thu) by wodny (subscriber, #73045) [Link] (1 responses)

Definitely signalfd deserves mentioning. Libevent2 gives similar functionality i.e. running signal handlers from an event loop, but interestingly internally it doesn't seem to use signalfd.

Another thing worth mentioning is that explicitly setting SIGIGN for the SIGCHLD signal prevents zombie creation: "POSIX.1-2001 specifies that if the disposition of SIGCHLD is set to SIG_IGN or the SA_NOCLDWAIT flag is set for SIGCHLD (see sigaction(2)), then children that terminate do not become zombies [...]". I wonder how CLONE_AUTOREAP interacts with that.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 17:28 UTC (Thu) by josh (subscriber, #17465) [Link]

CLONE_AUTOREAP has exactly the same effect as setting SIGCHLD to SIG_IGN or setting SA_NOCLDWAIT, except that you don't actually have to ignore the signal, and for that matter, you don't have to use SIGCHLD as the signal (since clone lets you set an arbitrary signal); you can set the signal to 0 instead.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 5:10 UTC (Thu) by josh (subscriber, #17465) [Link] (25 responses)

> without the usual write-to-pipe-from-SIGCHLD trick

That's actually the original motivation for this patch. Thiago Macieira has a userspace library that emulates a subset of clonefd by installing a SIGCHLD handler and sending clonefd_info over a pipe. Having clone4 available allows that library to work in a race-free way, and not take over process-wide SIGCHLD handling.

> A small note, though: clonefd_info needs to have size and version fields for future extensions.

That doesn't necessarily help, especially for a first version: nothing forces userspace to actually *check* those fields, and if they don't, then they'll end up being immutable anyway because the kernel can't break old userspace.

So our current plan is to require applications that can handle reading other structures from the clonefd to opt-in by passing an appropriate flag to clone4. Suggestions welcome, though.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 5:22 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (20 responses)

> That doesn't necessarily help, especially for a first version: nothing forces userspace to actually *check* those fields, and if they don't, then they'll end up being immutable anyway because the kernel can't break old userspace.
Certainly. But it would make it easier for me to simply read the whole packet and transmit it to another part of my program for more detailed parsing. Having a length field would help here.

> So our current plan is to require applications that can handle reading other structures from the clonefd to opt-in by passing an appropriate flag to clone4. Suggestions welcome, though.
That as well. But simply adding a length field and a bitmask with enabled options shouldn't be too hard and it might help people.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 5:30 UTC (Thu) by josh (subscriber, #17465) [Link] (19 responses)

> Certainly. But it would make it easier for me to simply read the whole packet and transmit it to another part of my program for more detailed parsing. Having a length field would help here.

Note that clonefd behaves like a UDP socket here, in that you have to read the entire clonefd_info structure in one read() call, and any unread bits are lost. We chose that behavior because in theory, you could hand the clonefd to multiple threads or processes, all of which can call read() in parallel, and they shouldn't race or receive partial data even if they don't read a complete structure.

So, in effect, there *is* a length field: it's the return value from read(). If you understand a longer structure, read() a longer structure, and on older kernels you'll get a short read.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 6:13 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (11 responses)

That's interesting.

But this design seem to make it impossible to pass large data (command line arguments, for example).

On the other hand, if the corresponding /proc directory could stay alive while there are open FDs to its process, then there's little need to have more information.

Perhaps you could at least add a 'flags' field so the library code could inspect what extra fields are available?

Also, what about getting a FD of an already running process?

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 6:18 UTC (Thu) by josh (subscriber, #17465) [Link] (10 responses)

> On the other hand, if the corresponding /proc directory could stay alive while there are open FDs to its process, then there's little need to have more information.

We've actually talked about adding an API that would get you from a clonefd to the dirfd of the corresponding /proc directory, from which you could use openat to open the proc files of that process.

> Perhaps you could at least add a 'flags' field so the library code could inspect what extra fields are available?

Something like that might happen the first time clonefd_info gets extended, depending on the added fields.

> Also, what about getting a FD of an already running process?

Planned for a subsequent patch.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 6:30 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link] (9 responses)

> We've actually talked about adding an API that would get you from a clonefd to the dirfd of the corresponding /proc directory, from which you could use openat to open the proc files of that process.
Why not just let the /proc entry to stick around? Kernel can't reuse a PID while it's still held by an open FD or am I wrong?

> Something like that might happen the first time clonefd_info gets extended, depending on the added fields.
Oh well... I guess it's OK, but I'd definitely prefer to have a straightforward "features" flag as the first member of the structure. It'll also condition clients to the fact that the structure might get extended someday.

> Planned for a subsequent patch.
Thanks!

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 7:43 UTC (Thu) by josh (subscriber, #17465) [Link] (8 responses)

> Why not just let the /proc entry to stick around? Kernel can't reuse a PID while it's still held by an open FD or am I wrong?

Among other reasons, because file descriptors are unique system-wide, while if you have a PID, you have to know what PID namespace it's relative to. If the process the clonefd refers to is in another PID namespace from you, and for that matter if you've passed it around via UNIX pipes, the clonefd can still hand you a dirfd that unambiguously refers to the correct /proc directory, without any PIDs or translation involved. That seems far cleaner than, for instance, using an ioctl to get the PID from the clonefd, sprintf-ing that into a filename, and opening a file in /proc.

Ideally, it ought to be possible to operate on processes without ever using a PID.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 7:57 UTC (Thu) by iq-0 (subscriber, #36655) [Link] (7 responses)

Radical idea: Make the filedescriptor actually be a the proc directory?

This would mean that opening that directory directly would automatically mean that you get an equivalent handle. That multiple processes can wait on the exit of that process (and receive basic accounting information). And if the filehandle isn't opened with 'O_PATH' than the task directory would stick around, otherwise it may be automatically cleaned up.

And why not use include the more verbose "getrusage" stats but only the "times" one?

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 17:31 UTC (Thu) by josh (subscriber, #17465) [Link] (1 responses)

> Radical idea: Make the filedescriptor actually be a the proc directory?

We did consider that during the design. We also considered making the "get file descriptor for existing process" mechanism be open("/proc/$PID/clonefd") or similar. However, that approach would require that /proc is mounted, and would raise interesting interaction issues with containers. The kernel has been moving in the opposite direction; for instance, see execveat, which was created specifically as an alternative to execve of /proc/self/fd/N because the latter requires a mounted /proc.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 3, 2015 7:04 UTC (Fri) by iq-0 (subscriber, #36655) [Link]

I'm not saying it should be mounted, but I must admit that I don't know enough about the internals of procfs to know if you could open an fd internally.

I guess it would be a security risk, because a process could this way get a procfs handle, follow that to '..' and have access to it's entire procfs even if the admin chose not to mount it (chroot escaping for root processes would probably become easier this way, though that is officially not considered a security mechanism).

But I don't see how the 'open(/proc/$pid/clonefd)' would introduce a dependency on procfs. Only the feature "open a process fd for an existing process" would require that. The fd itself wouldn't necessarily have to be tied to procfs in this case (as it would in the fd for task directory).

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 17:40 UTC (Thu) by josh (subscriber, #17465) [Link] (4 responses)

> And why not use include the more verbose "getrusage" stats but only the "times" one?

clonefd_info closely matches the information available in the siginfo structure that you receive when you get SIGCHLD. siginfo doesn't include the rusage information either. And including the full rusage information would make the structure *much* larger. Most callers are not likely to need that information, because they'll only care that the process exited and perhaps what exit code it exited with.

I would propose, instead, adding a version of getrusage that takes a clonefd. Since the task_struct will stick around as long as the clonefd remains open, those stats remain available.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 3, 2015 7:16 UTC (Fri) by iq-0 (subscriber, #36655) [Link] (3 responses)

SIGCHLD is a relic and it's interface reflects what was available at the time.

Most programs only care about exit status. But for anybody who is interested in resource usage, I think nobody want to know only the cpu timings. Most programs make do with it, but that is more a case of what they got, not what they want.

We are talking about 144 bytes vs 32 bytes per exited process that has not been reaped. The pointers inside the kernel for basic administration are probably more expensive to keep around.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 3, 2015 7:35 UTC (Fri) by iq-0 (subscriber, #36655) [Link]

Not to say that getrusage may not be the best alternative perse, pherhaps BSD process accounting of similar structure might be a better match.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 3, 2015 8:20 UTC (Fri) by josh (subscriber, #17465) [Link] (1 responses)

That's making me tempted to just drop the CPU usage numbers and only keep the status and code, with getrusage available for anything else.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 3, 2015 8:49 UTC (Fri) by iq-0 (subscriber, #36655) [Link]

Sure, accounting information could easily be envisioned as a future improvement when the need arises (and when the need arises it will be much clearer what kind of information is desired).

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 10:13 UTC (Thu) by drysdale (guest, #95971) [Link] (6 responses)

> you could hand the clonefd to multiple threads or processes, all of which can call read() in parallel

By the way, I'm don't think this works with v2 of the patchset (presumably because of the code with the "EOF after first read" comment and the ppos update from simple_read_from_buffer).

(I'll send an email separately)

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 10:46 UTC (Thu) by josh (subscriber, #17465) [Link] (5 responses)

You can still have multiple processes or threads read() in parallel; one of them will get a clonefd_info, and the rest will get nothing. Same as if you handed a pipe end to multiple processes and wrote a byte to it. That's the intended behavior.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 11:41 UTC (Thu) by drysdale (guest, #95971) [Link] (4 responses)

Ah, OK, I misread/misunderstood your earlier comment.

However, I wonder if it might be more helpful for each reader to get its own clonefd_info. That would be more consistent with the behaviour of other special-FDs (timerfds, eventfds) and I suspect it would also make it easier to implement pdwait4()-compatible behaviour in the future (where I believe the FreeBSD folk intend for multiple callers each to get their own copy of the returned information).

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 17:46 UTC (Thu) by josh (subscriber, #17465) [Link] (3 responses)

I don't think that's consistent with timerfd or eventfd (or signalfd for that matter); those file descriptors become readable once the desired time or event occurs, and once you read the structure, it's no longer available for other readers.

If multiple readers each want to read their own clonefd_info, I would suggest that they should each open an independent fd for the process.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 20:44 UTC (Thu) by wodny (subscriber, #73045) [Link] (2 responses)

> If multiple readers each want to read their own clonefd_info, I would suggest that they should each open an independent fd for the process.

How can one do that? If clone() has to be used to open an fd and at the same time it creates a new process?

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 20:49 UTC (Thu) by josh (subscriber, #17465) [Link]

See comments elsewhere in this thread; we're going to add a new call in the future to get an fd for an existing process (given either a PID or an existing clonefd).

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 20:58 UTC (Thu) by wodny (subscriber, #73045) [Link]

OK, I've missed the 638824 comment.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 18:34 UTC (Thu) by hmh (subscriber, #3838) [Link] (3 responses)

If you're going to [in the future] have more than one type of message (struct) going through the channel, won't that at least require a common header for every message, that has the message type (please, at least 32 bits worth of it) and total size (so that it can be skipped/ignored when unknown) ?

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 20:43 UTC (Thu) by josh (subscriber, #17465) [Link] (2 responses)

Total size is the value returned from read(); always read the size of the structure you understand, and then process the size of the structure you get back, which may be smaller.

Additional information to distinguish between structures would depend on the structures. For example, if we added a flag to obtain SIGSTOP/SIGCONT information for children (as you can currenly obtain via SIGCHLD), we'd just return exactly the same clonefd_info structure, with CLD_STOPPED or CLD_CONTINUED in the code field; no need to add types or flags for that.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 21:48 UTC (Thu) by dlang (guest, #313) [Link] (1 responses)

using the length as the only version indicator is a clever hack, but it only works well as long as you never end up abandoning/depreciating any data. If you do, you end up having to pad the messages with bogus backwards compatibility data, or some rough approximation of it.

I would have thought that the problem with /proc, specifically with slabinfo data that continues to need to be faked by slab replacements, even when it doesn't actually mean anything, would have shown this to be an "anti-pattern"

yes, including version info wastes a little space from the beginning, but it means that you can actually eliminate fields in the future if you find that you should.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 21:53 UTC (Thu) by josh (subscriber, #17465) [Link]

The length isn't the only version indicator; if we need to change something more fundamental, we can use an explicit flag for that.

And no, we can't ever eliminate a field even with a version number, unless we have backward compatibility code to return old versions to old userspace.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 5:11 UTC (Thu) by josh (subscriber, #17465) [Link]

Thanks for reporting on this effort!

A correction: this patch series was co-developed with Thiago Macieira. Please credit both of us for the patch series, not just me.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 9:03 UTC (Thu) by lkundrak (subscriber, #43452) [Link] (3 responses)

SEE ALSO

FreeBSD's pdfork(2)

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 9:53 UTC (Thu) by justincormack (subscriber, #70439) [Link] (2 responses)

Indeed, one of the great things about Capsicum is support for process descriptors. And allegedly it is being ported to Linux (by Google), so it would be far preferable to get process descriptors via porting Capsicum, which is a well designed nice system rather than just ad hoc adding them.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 10:28 UTC (Thu) by drysdale (guest, #95971) [Link] (1 responses)

It turns out that implementation-wise, the process descriptor parts of Capsicum are fairly orthogonal to the capabilities/capability-mode parts of it. (For example, I keep a topic branch in my git repo for each, and merging the two branches together only requires 3 small diffs, basically adding the Capsicum rights checks for CAP_PDGETPID/CAP_PDKILL/CAP_PDWAIT.)

And, as is pointed out above, Josh and Thiago have been very receptive to making sure that the FreeBSD process descriptor primitives can be implemented in terms of the clonefd functionality (and future extensions to it). So I'm optimistic that we're going to end up with the best of both worlds -- clonefd functionality as a Linux primitive that can be lightly-wrapped to be compatible with the FreeBSD process descriptor API.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 2, 2015 10:32 UTC (Thu) by justincormack (subscriber, #70439) [Link]

That's great news. Looking forward to seeing it.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 3, 2015 10:07 UTC (Fri) by sasha (guest, #16070) [Link]

clonefd_info does not looks like a good API design. If the fd is supposed to be extended to other process management facilities, read() should return a structure like this:
struct process_event {
int type;
#define PROCESS_EVENT_TYPE_EXITED 1
union {
struct clonefd_info exited;
} u;
};

Attaching file descriptors to processes with CLONE_FD

Posted Apr 7, 2015 13:52 UTC (Tue) by kjp (guest, #39639) [Link] (2 responses)

Getting rid of PIDs and their wrap around race conditions would be awesome. But, with this 'descriptor' to a process, how can I serialize it to disk (like a .pid file) and read it back in later?

Attaching file descriptors to processes with CLONE_FD

Posted Apr 8, 2015 0:02 UTC (Wed) by flussence (guest, #85566) [Link] (1 responses)

PID files are a design smell. Any halfway-competent process supervision system (anything but sysvinit) provides a way to uniquely identify running services, usually by associating them with a file on disk.

Attaching file descriptors to processes with CLONE_FD

Posted Apr 8, 2015 18:22 UTC (Wed) by flussence (guest, #85566) [Link]

After re-reading this it sounds a bit ridiculous without context, I should be more clear: the "uniqueness" comes from an inode<->pid association and/or an open fd, held by the parent of the process in question, not just the contents of a file.