History log of /unit/src/nxt_clone.h (Results 1 – 5 of 5)
Revision (<<< Hide revision tags) (Show revision tags >>>) Date Author Comments
Revision tags: 1.21.0-1, 1.21.0, 1.20.0-1, 1.20.0
# 1595:d1884e46cf71 16-Sep-2020 Tiago Natel de Moura

Isolation: remove redundant macro.


Revision tags: 1.19.0-1, 1.19.0, 1.18.0-1, 1.18.0
# 1489:4a3ec07f4b19 28-May-2020 Tiago Natel de Moura

Added "rootfs" feature.


# 1488:6976d36be926 09-Mar-2020 Tiago Natel de Moura

Refactor of process management.

The process abstraction has changed to:

setup(task, process)
start(task, process_data)
prefork(task, process, mp)

The prefork() occurs in the main process rig

Refactor of process management.

The process abstraction has changed to:

setup(task, process)
start(task, process_data)
prefork(task, process, mp)

The prefork() occurs in the main process right before fork.

The file src/nxt_main_process.c is completely free of process
specific logic.

The creation of a process now supports a PROCESS_CREATED state. The
The setup() function of each process can set its state to either
created or ready. If created, a MSG_PROCESS_CREATED is sent to main
process, where external setup can be done (required for rootfs under
container).

The core processes (discovery, controller and router) doesn't need
external setup, then they all proceeds to their start() function
straight away.

In the case of applications, the load of the module happens at the
process setup() time and The module's init() function has changed
to be the start() of the process.

The module API has changed to:

setup(task, process, conf)
start(task, data)

As a direct benefit of the PROCESS_CREATED message, the clone(2) of
processes using pid namespaces now doesn't need to create a pipe
to make the child block until parent setup uid/gid mappings nor it
needs to receive the child pid.

show more ...


Revision tags: 1.17.0-1, 1.17.0, 1.16.0-1, 1.16.0, 1.15.0-1, 1.15.0, 1.14.0-1, 1.14.0
# 1306:3604d05e48be 06-Dec-2019 Tiago Natel

Isolation: allowed the use of credentials with unpriv userns.

The setuid/setgid syscalls requires root capabilities but if the kernel
supports unprivileged user namespace then the child process has

Isolation: allowed the use of credentials with unpriv userns.

The setuid/setgid syscalls requires root capabilities but if the kernel
supports unprivileged user namespace then the child process has the full
set of capabilities in the new namespace, then we can allow setting "user"
and "group" in such cases (this is a common security use case).

Tests were added to ensure user gets meaningful error messages for
uid/gid mapping misconfigurations.

show more ...


Revision tags: 1.13.0-1, 1.13.0, 1.12.0-1, 1.12.0, 1.11.0-2, 1.11.0-1, 1.11.0
# 1182:325b315e48c4 19-Sep-2019 Tiago de Bem Natel de Moura

Initial applications isolation support using Linux namespaces.