Containers as kernel objects
Containers can be thought of as a form of lightweight virtualization. Processes running within a container have the illusion of running on an independent system but, in truth, many containers can be running simultaneously on the same host kernel. The container illusion is created using namespaces, giving each container its own view of the network, the filesystem, and more, and control groups, which isolate containers from each other and control resource usage. Security modules or seccomp can be used to further restrict what a container can do. The result is a mechanism that, like so many things in Linux, offers a great deal of flexibility at the cost of a fair amount of complexity. Setting up a container in a way that ensures it will stay contained is not a trivial task and, as we'll see, the lack of a container primitive also complicates things on the kernel side.
Adding a container object
Howells's patch creates (or modifies) a set of system calls to make it possible for user space to manipulate containers. It all starts with:
int container_create(const char *name, unsigned int flags);
This new system call creates a container with the given name. The flags mainly specify which namespaces from the caller should be replaced by new namespaces in the created container. For example, specifying CONTAINER_NEW_USER_NS will cause the container to be created with a new user namespace. The return value is a file descriptor that can be used to refer to the container. There are a couple of flags that indicate whether the container should be destroyed when the file descriptor is closed, and whether the descriptor should be closed if the calling process calls exec().
The container starts out empty, with no processes running within it; if it is created with a new mount namespace, there are no filesystems mounted inside it either. Two new system calls (fsopen() and fsmount(), added in a separate patch set) can be used to add filesystems to the container. The "at" versions of the file system calls (openat(), for example) can take a container file descriptor as the starting point, easing the creation of files inside the container. It is possible to open a socket within the container with:
int container_socket(int container_fd, int domain, int type, int protocol);
The main purpose of container_socket() appears to be to make it easy to use netlink sockets to configure the container's networking from the outside. It can help an orchestration system avoid the need to run a process inside the container to do this configuration.
When it comes time to start things running inside the container, a call can be made to:
pid_t fork_into_container(int container_fd);
The new process created by this call will be the init process inside the given container, and will run inside the container's namespaces. It can only be called once for any given container.
There are a number of things that, Howells said, could still be added to this mechanism. They include the ability to set a container's namespaces directly, support for the management of a container's control groups, the ability to suspend and restart a container, and more. But it is not clear that this work will progress far in its current form.
A poor match?
A number of developers expressed concerns about this proposal, mostly focused on two issues: the proposed container object is not seen as a good match for how containers are actually used now, and it is seen as the wrong solution to a specific problem. On the first issue, the flexibility of the current mechanisms is seen by many as an advantage, one that they would rather not lose. Jessica Frazelle said:
Here, she was referring to the runtime specification from the Open Containers Initiative. James Bottomley was more direct, saying that:
He pointed out, in particular, an apparent mismatch between the proposed
container object and the concepts of containers and "pods" implemented in
Kubernetes. Some namespaces are specific to a container, while others are
shared across a pod, blurring the boundaries somewhat.
The kernel container object, he added, "isn't something the
orchestration systems would find usable
".
Eric Biederman took an even stronger position by rejecting the patch outright. As he put it:
Unlike the others, he is not so deeply concerned with what existing orchestration systems do; his worries have to do with the exposing of the container object to user space at all. That is where the second issue comes up.
Upcalls
To a great extent, it appears that the motivation behind this patch set isn't to make the management of containers easier for user-space code. Instead, it is trying to solve a nagging problem that has become increasingly irritating for kernel developers: how to make kernel "upcalls" work properly in a containerized environment.
As a general rule, the kernel, as the lowest level of the system, tries to be self-sufficient in all things. There really is nobody else to rely on to get things done, after all. There are times, though, when the kernel has to ask user space for help. That is typically done with a call to call_usermodehelper(), an internal function that will create a user-space process and run a specific program to get something done — "calling up" to user space, in other words.
There are a number of call_usermodehelper() call sites in the kernel. Some of the tasks it is used for include:
- The core-dump code can use it to invoke a program to do something useful with the dumped data.
- The NFSv4 client can call a helper program to perform DNS resolution.
- The module loader can invoke a helper to perform demand-loading of modules.
- The kernel's key-management code will call to user space when a key is needed to perform a specific function — to mount an encrypted filesystem, for example.
Once upon a time, when life was simple, these upcalls would create a process running as root that could run the requested program. Now, however, the action that provoked the upcall in the first place may well have come from inside a container, and it may well be that the upcall should run within that container as well. At least, it should run inside that container's particular mix of namespaces. But, since the kernel has no concept of a container, it has no way to know which container to run any particular upcall within. A kernel upcall that is run in the wrong namespace might do the wrong thing — or allow a process to escape its container.
Adding a container concept to the kernel is one way to fix this problem. But this particular patch has raised questions of whether (1) a container object is the best solution to the upcall problem, and (2) if a container object does make sense, does it need to be exposed to user space? The kernel might be able to keep track of the proper namespaces to use for specific upcalls without creating a bunch of new infrastructure or exposing a new API that would have to be maintained forever. Biederman suggested one possible scheme that could be used to track namespaces for the key-management upcalls, for example.
Another possible approach, proposed by Colin Walters, is to drop the upcall model entirely. Instead, a protocol could be created to report events to a user-space daemon that could act on them in the proper context. That kind of change has been made in the past; device-related events were once handled via upcalls, but now they are communicated directly to the udev (or systemd-udevd) process instead. But, as Jeff Layton pointed out, that model only works in some settings. In others, it just leads to a proliferation of daemon processes that clutter up the system and can create reliability issues. So the events model isn't necessarily a replacement for all kernel upcalls.
This discussion is young as of this writing, and may yet progress in
unexpected directions. From the early indications, it seems relatively
unlikely that
a container object visible to user space will be added to the kernel
anytime soon. If, perhaps, some future attempt creates a container concept
that is useful to existing orchestration systems, that could change.
Meanwhile, we may well see an attempt to improve the kernel's internal
ability to determine the proper namespace for any given upcall. Either
way, the inherent complexity of the container problem seems likely to be
with us for a long time.
| Index entries for this article | |
|---|---|
| Kernel | Containers |
Posted May 24, 2017 1:34 UTC (Wed)
by neilbrown (subscriber, #359)
[Link] (7 responses)
Posted May 24, 2017 4:45 UTC (Wed)
by garloff (subscriber, #319)
[Link] (2 responses)
Posted May 26, 2017 9:50 UTC (Fri)
by Albis (guest, #115537)
[Link] (1 responses)
Posted May 26, 2017 10:25 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link]
Posted May 24, 2017 10:47 UTC (Wed)
by jlayton (subscriber, #31672)
[Link] (3 responses)
Posted May 25, 2017 2:12 UTC (Thu)
by neilbrown (subscriber, #359)
[Link] (2 responses)
So what is the important details of the context in which request_key() is called, that determines the desired container? A lot of the calls come from filesystems. Should the container context come from the filesystem, or the mount point, or the process making some request?
Posted May 25, 2017 11:50 UTC (Thu)
by ebiederm (subscriber, #35028)
[Link] (1 responses)
Posted May 26, 2017 14:12 UTC (Fri)
by cyphar (subscriber, #110703)
[Link]
Posted May 24, 2017 3:47 UTC (Wed)
by cyphar (subscriber, #110703)
[Link]
The complexity in runtimes is something that we've already made peace with. Why are you changing the interfaces underneath us? Who actually asked for this?
If you wanted to implement Zones or Jails on Linux, you should've just done that in the first place.
Posted May 24, 2017 3:50 UTC (Wed)
by brauner (subscriber, #109349)
[Link] (1 responses)
Posted May 24, 2017 14:41 UTC (Wed)
by Tara_Li (guest, #26706)
[Link]
Posted May 24, 2017 8:12 UTC (Wed)
by bbockelm (subscriber, #71069)
[Link]
With systemd, the upcall model makes less sense. systemd is very capable of socket activation (not sure about activation based on netlink messages) and launching a one-shot service to handle the task.
Heck, even the container daemon or runtime can do this. I'm not convinced this would lead to a proliferation of standing processes per container for infrequent calls.
Posted May 25, 2017 14:44 UTC (Thu)
by mezcalero (subscriber, #45103)
[Link] (11 responses)
Note that systemd can do socket activation for you, including netlink activation. Hence there isn't really proliferation of daemons if people would just give up on upcalls: the stuff in userspace would only run when something is happening much the same as before, but everything cleanly managed, introspectable by the user with all security policies properly in effect and so on.
Hence my suggestion: dont try to make upcalls work in more cases. Instead just stip doing them altogether. They are awful. There should be a singlr upcall only on the system: the one invoking PID 1.
Lennart
Posted May 26, 2017 23:16 UTC (Fri)
by nix (subscriber, #2304)
[Link] (10 responses)
(Side note: at least one NFS developer is a sysvinit user. The likelihood of upcalls going away from NFSv4 in favour of just throwing everything at PID 1 is thus essentially nil, though it is possible that a PID 1-throwing *option* might be added. Removing everything in favour of your proposed PID 1 approach would break every non-systemd system out there, and also systemd systems too old to understand whatever this upcall request might turn out to be. Some people really do have existing systems to maintain and don't want gratuitous breakage of this sort of thing, thanks!)
Posted May 26, 2017 23:56 UTC (Fri)
by walters (subscriber, #7396)
[Link] (7 responses)
Posted May 28, 2017 0:06 UTC (Sun)
by nix (subscriber, #2304)
[Link] (6 responses)
Posted May 28, 2017 15:17 UTC (Sun)
by MattJD (subscriber, #91390)
[Link]
If having several daemons running is an issue, an alternate daemon could do the systemd's part, by listening and then launching the appropriate daemon on a notification.
I think Lennart was saying how systemd could implement it, using it's existing functionality. Nothing in that example implies to me you have to run systemd, nor have the listener be PID 1 if you are willing to reimplement some functionality.
Posted May 29, 2017 8:18 UTC (Mon)
by matthias (subscriber, #94967)
[Link] (4 responses)
Posted May 30, 2017 0:19 UTC (Tue)
by nix (subscriber, #2304)
[Link] (3 responses)
Well, one problem is that asking the systemwide PID 1 doesn't help much in the very container case that triggered this, unless you are lucky enough to have the PID 1-associated framework know about every container on the system -- and we know where *that*'s gone, with a mass of argument bordering on open warfare over containerization systems and their degree of talking to systemd, and no sign of a resolution. The only way to fix this would be to hand a containerized upcall off to PID 1 in the relevant container. This would work great except that not all containers use the PID namespace, leaving you with nowhere to hand the upcall off to, so you're screwed; also, most containerization systems that do use PID namespaces seem to run nothing resembling init but just run the contained binary *as* PID 1 in the container: of course, the contained binary would have no idea how to handle these upcall messages, so you're screwed. (I think that running anything not an init as PID 1 is somewhere between horrifying and outright demented, but a lot of systems already do this, so we must allow for their existence.)
No, I don't think handing things off to PID 1 would work. It might work in an ideal universe in which every containerization system knew how to tell every init system that knew how to respond to these upcalls about the container's existence, but we do not live in that universe, and as long as containers are non-first-class objects and anyone can take a pile of random namespaces and call it a container, we will not live in it. (I exploit this fairly heavily on my systems, like, I expect, many others: you can kick off a "container" with a ten-line sudo-invoked shell script calling unshare(1), and with a couple of extra lines you can store enough state to have arbitrary other stuff pop in to join the container too. It's really flexible but y'know my random shell scripts invoking compilation environments in fs trees for various distros and the like really do not know how to handle upcalls and certainly aren't going to tell PID 1 about their existence either.)
Posted May 30, 2017 4:54 UTC (Tue)
by MattJD (subscriber, #91390)
[Link] (2 responses)
This seems to have the best chance of capturing upcall related behaviour. A daemon can tell the kernel over netlink what namespaces it cares about (whether it's mount/network/etc) with the kernel enforcing security boundaries to avoid process escaping (maybe only allowing the current one?). The kernel can communicate about what namespace (when the information is available) as well, to allow a global monitor to process an upcall. This makes much more sense, and allows the daemon to be started in the context it wants, managed by the administrator (whether through init scripts or systemd/upstart/etc). The kernel doesn't have to dictate any of that, which seems a win.
This doesn't even need to invalidate your use case of customized containers. If you use any functionality requiring an upcall, it can be handled by an appropriate daemon of your design. And it doesn't require systemd, nor any particular PID 1, nor any functionality be in PID 1.
And to be clear, I'd be against a system that required PID 1 to be systemd, and would dislike a system requiring this functionality to be integrated in PID 1. Whether it's a good idea is a different question, but it shouldn't be a requirement.
Posted May 31, 2017 13:25 UTC (Wed)
by nix (subscriber, #2304)
[Link] (1 responses)
It appears you're suggesting having one daemon in the root namespace somehow communicate with the kernel and somehow partition the space of namespaces into those it cares about and those it doesn't (how it does this when it may not have been told about the existence of half of them, without tiresomely iterating over the lot, is unclear to me). This seems terribly complex and fragile, for almost no benefits over the current solution -- and all the complexity is layered into one of the most diverse parts of the Linux ecosystem, a place which is correspondingly hard to change in any coherent way.
Posted May 31, 2017 13:49 UTC (Wed)
by MattJD (subscriber, #91390)
[Link]
I'm not sure exactly how such a system would look, as I'm not familiar with all the moving pieces nor use cases, so I was just throwing out a general picture. I was generally thinking that appropriate sockets would opened with the kernel for communication. Depending upon the namespace (and again I'm not familiar with all the details), the process would either need to be in the namespace or the kernel would need to identify the namespace to the process somehow. Ideally a process in a given namespace should be able to take over handling that namespace, which should allow any containerization solution to handle itself without caring what runs in the root/parent namespace.
That general sketch seems cleaner to me, as it moves policy about how to handle a given upcall to userspace, which seems to be line with the kernel's wishes. If your container is complicated enough to require upcall handling, then yes a process will need to run to listen for those events (whether it's your process itself, or some process started by the init of the container). Ideally container managers like docker/rkt could provide handling for their containers, to ease system administration. If you are hand rolling your own, you'll need to handle all these details. But that won't change from the status quo, where you still need something to handle the upcall. And many simple cases should avoid requiring this discussion all together, like your example of a build container.
Posted May 29, 2017 8:49 UTC (Mon)
by mezcalero (subscriber, #45103)
[Link] (1 responses)
Whether you run systemd or something else is just an implementation detail. Whatever you run, it's always highly problematic if you have unmanaged processes around, that live entirely outside of the context of the rest of the system resource-management-wise, security-wise, introspection-wise, monitoring-wise and runtime-wise.
The three most relevant upcalls are probably the modprobe requester, the cgroups agent and the coredump handler (at least on systemd systems). In the first case we turn it off these days in udev, and use the netlink logic, and in the latter two cases we install a small binary that notifies something else and exits quickly in order to keep the surface small for code that runs outside of any lifecycle management, resource-management, security management. The only logic next step is to avoid this altogether, and just notify that something else directly.
Upcalls are really little more than workarounds for dumb init systems which cannot do any form of event-based activation. I figure it's fine if they continue to exist, already for compat reasons, but I think it's important to get the message out that they are a hack, and a bad thing and that new mechanisms should use proper notification, the kernel has many better options for asking userspace to do things.
Posted May 30, 2017 0:23 UTC (Tue)
by nix (subscriber, #2304)
[Link]
Containers as kernel objects
Maybe we need an "upcall namespace" which identifies a different process to (transparently) fork.
Containers as kernel objects
Sounds comparably clean... Kernel still would need to somehow determine at the upcall place which init it belongs to.
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Either way there is a well defined kernel object that can hold a reference to a fork-for-upcalls kthread - isn't there?
Containers as kernel objects
Containers as kernel objects
No
Containers as kernel objects
I think all maintainers of current container runtimes uniformely agree, including me, that this is not a good idea. I think the strongest argument against this interface is that it defines what a container actually is *supposed* to be. This is something which we should not to. The strength of containerization features in the Linux kernel is that they allow to be combined in multiple ways to create different breeds of container objects. A first class container citizen doesn't make sense. Most of all, because the point where something like this could have been implemented has passed. There just is not concept of a container for Linux. We should embrace this fact in all its complexity.
Containers as kernel objects
Socket activation, not upcalls?
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects
Containers as kernel objects