JakeHillion/www
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
477de5c555
www/blog.hillion.co.uk/posts/weekly-2022-01-03/index.html

13 lines
31 KiB
HTML
Raw Normal View History

update blog.hillion.co.uk
2023-01-07 22:30:40 +00:00
<!doctype html><html lang=en dir=auto><head><meta charset=utf-8><meta http-equiv=x-ua-compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=robots content="index, follow"><title>Jake's Weekly - 3rd Jan 2022 | Jake Hillion</title><meta name=keywords content><meta name=description content="Research Project Process Isolation Setup a Fedora testing VM for easier and consistent testing.
Fedora 35 uses pure cgroups2 by default - very useful! Sorted out backups for the repo and the above machine. Chose a testing framework for C enabling testing of the assertions to build the project upon.
Used Unity. Simple and the examples show that it doesn&rsquo;t do much beyond the minimum - important for this low level code with syscalls."><meta name=author content="Jake Hillion"><link rel=canonical href=https://blog.hillion.co.uk/posts/weekly-2022-01-03/><link crossorigin=anonymous href=/assets/css/stylesheet.min.48a18943c2fc15c38a372b8dde1f5e5dc0bc64fa6cb90f5a817d2f8c76b7f3ae.css integrity="sha256-SKGJQ8L8FcOKNyuN3h9eXcC8ZPpsuQ9agX0vjHa3864=" rel="preload stylesheet" as=style><script defer crossorigin=anonymous src=/assets/js/highlight.min.b95bacdc39e37a332a9f883b1e78be4abc1fdca2bc1f2641f55e3cd3dabd4d61.js integrity="sha256-uVus3DnjejMqn4g7Hni+Srwf3KK8HyZB9V4809q9TWE=" onload=hljs.initHighlightingOnLoad()></script>
<link rel=icon href=https://blog.hillion.co.uk/favicon.ico><link rel=icon type=image/png sizes=16x16 href=https://blog.hillion.co.uk/favicon-16x16.png><link rel=icon type=image/png sizes=32x32 href=https://blog.hillion.co.uk/favicon-32x32.png><link rel=apple-touch-icon href=https://blog.hillion.co.uk/apple-touch-icon.png><link rel=mask-icon href=https://blog.hillion.co.uk/safari-pinned-tab.svg><meta name=theme-color content="#2e2e33"><meta name=msapplication-TileColor content="#2e2e33"><noscript><style>#theme-toggle,.top-link{display:none}</style><style>@media(prefers-color-scheme:dark){:root{--theme:rgb(29, 30, 32);--entry:rgb(46, 46, 51);--primary:rgb(218, 218, 219);--secondary:rgb(155, 156, 157);--tertiary:rgb(65, 66, 68);--content:rgb(196, 196, 197);--hljs-bg:rgb(46, 46, 51);--code-bg:rgb(55, 56, 62);--border:rgb(51, 51, 51)}.list{background:var(--theme)}.list:not(.dark)::-webkit-scrollbar-track{background:0 0}.list:not(.dark)::-webkit-scrollbar-thumb{border-color:var(--theme)}}</style></noscript><script async src="https://www.googletagmanager.com/gtag/js?id=G-4CXXF49E7M"></script>
<script>var doNotTrack=!1;if(!doNotTrack){window.dataLayer=window.dataLayer||[];function gtag(){dataLayer.push(arguments)}gtag("js",new Date),gtag("config","G-4CXXF49E7M",{anonymize_ip:!1})}</script><meta property="og:title" content="Jake's Weekly - 3rd Jan 2022"><meta property="og:description" content="Research Project Process Isolation Setup a Fedora testing VM for easier and consistent testing.
Fedora 35 uses pure cgroups2 by default - very useful! Sorted out backups for the repo and the above machine. Chose a testing framework for C enabling testing of the assertions to build the project upon.
Used Unity. Simple and the examples show that it doesn&rsquo;t do much beyond the minimum - important for this low level code with syscalls."><meta property="og:type" content="article"><meta property="og:url" content="https://blog.hillion.co.uk/posts/weekly-2022-01-03/"><meta property="article:section" content="posts"><meta property="article:published_time" content="2022-01-01T11:00:00+00:00"><meta property="article:modified_time" content="2022-01-01T11:00:00+00:00"><meta property="og:site_name" content="Jake Hillion"><meta name=twitter:card content="summary"><meta name=twitter:title content="Jake's Weekly - 3rd Jan 2022"><meta name=twitter:description content="Research Project Process Isolation Setup a Fedora testing VM for easier and consistent testing.
Fedora 35 uses pure cgroups2 by default - very useful! Sorted out backups for the repo and the above machine. Chose a testing framework for C enabling testing of the assertions to build the project upon.
Used Unity. Simple and the examples show that it doesn&rsquo;t do much beyond the minimum - important for this low level code with syscalls."><script type=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Posts","item":"https://blog.hillion.co.uk/posts/"},{"@type":"ListItem","position":2,"name":"Jake's Weekly - 3rd Jan 2022","item":"https://blog.hillion.co.uk/posts/weekly-2022-01-03/"}]}</script><script type=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"Jake's Weekly - 3rd Jan 2022","name":"Jake\u0027s Weekly - 3rd Jan 2022","description":"Research Project Process Isolation Setup a Fedora testing VM for easier and consistent testing.\nFedora 35 uses pure cgroups2 by default - very useful! Sorted out backups for the repo and the above machine. Chose a testing framework for C enabling testing of the assertions to build the project upon.\nUsed Unity. Simple and the examples show that it doesn\u0026rsquo;t do much beyond the minimum - important for this low level code with syscalls.","keywords":[],"articleBody":"Research Project Process Isolation Setup a Fedora testing VM for easier and consistent testing.\nFedora 35 uses pure cgroups2 by default - very useful! Sorted out backups for the repo and the above machine. Chose a testing framework for C enabling testing of the assertions to build the project upon.\nUsed Unity. Simple and the examples show that it doesnt do much beyond the minimum - important for this low level code with syscalls. Forking and cloning doesnt cause any problems as long as each process is reliably exited (not returned from). Began writing assertion tests for the flags of the Linux syscall clone3. Important as many of these have what I consider surprising behaviour going from just the names. clone3 and the resultant processes/namespaces are going to be the majority of process separation in this project.\nCLONE_FS: Links specific bits of filesystem metadata, such as the PWD of the processes.\nImportantly this is cloned in a copy-on-write way regardless of the flag, but the CLONE_FS flag keeps the two processes linked. CLONE_FILES: Links the file descriptor tables of the processes.\nAgain, this is copy-on-write - all fds are inherited without this flag, as the same underlying file descriptors, but this flag ensures that new ones are shared. Tricky to test, as IPC is required to pass the file descriptors around. CLONE_NEWNS: Place a cloned process into a new mount namespace.\nCopy-on-write: has all existing mounts of the parent namespace. Perhaps the solution is to clone twice but give the second clone the original parent? That way the first cloned process can unmount all filesystems in the new namespace, then the new-new namespace will be created with no mounts. Otherwise, unmount in the privileged section before handing off control of the clone. Filesystems marked as shared and mounted under basically ignore the new namespace - the new filesystem is still propagated back. Both my /tmp tmpfs, which Ive been using, and my / root are mounted as shared. This is certainly a tricky one to get my head around. Requires CAP_SYS_ADMIN. CLONE_NEWCGROUP: Place a cloned process into a new cgroup namespace.\nBasically a chroot for the cgroup directory structure. Requires CAP_SYS_ADMIN. CLONE_NEWNET: Place a cloned process into a new network namespace.\nThe new net namespace has only a loopback adapter in it, which is down by default. Though a process only has one network namespace, these can be linked with some work, allowing for pretty complex separation. Requires CAP_SYS_ADMIN. CLONE_NEWPID: Creates a process in a new PID namespace.\nProcess appears with PID 1 in its new namespace (it believes it is the init process). Requires CAP_SYS_ADMIN. CLONE_IO: Have the two processes share an I/O context.\nThis one is going to be particularly tricky to examine in a unit-test like format, so Im saving looking more into it for later. It appears to be solely for performance optimisation, b
update blog.hillion.co.uk
2024-01-13 14:16:56 +00:00
<span class=logo-switches><button id=theme-toggle accesskey=t title="(Alt + T)"><svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></button></span></div><ul id=menu><li><a href=https://blog.hillion.co.uk/categories/ title=categories><span>categories</span></a></li><li><a href=https://blog.hillion.co.uk/tags/ title=tags><span>tags</span></a></li></ul></nav></header><main class=main><article class=post-single><header class=post-header><div class=breadcrumbs><a href=https://blog.hillion.co.uk/>Home</a>&nbsp;»&nbsp;<a href=https://blog.hillion.co.uk/posts/>Posts</a></div><h1 class=post-title>Jake's Weekly - 3rd Jan 2022</h1><div class=post-meta><span title='2022-01-01 11:00:00 +0000 UTC'>January 1, 2022</span>&nbsp;·&nbsp;5 min&nbsp;·&nbsp;Jake Hillion</div></header><div class=post-content><h2 id=research-project>Research Project<a hidden class=anchor aria-hidden=true href=#research-project>#</a></h2><h3 id=process-isolation>Process Isolation<a hidden class=anchor aria-hidden=true href=#process-isolation>#</a></h3><ul><li><p>Setup a Fedora testing VM for easier and consistent testing.</p><ul><li>Fedora 35 uses pure cgroups2 by default - very useful!</li><li>Sorted out backups for the repo and the above machine.</li></ul></li><li><p>Chose a testing framework for C enabling testing of the assertions to build the project upon.</p><ul><li>Used <a href=http://www.throwtheswitch.org/unity>Unity</a>. Simple and the examples show that it doesn&rsquo;t do much beyond the minimum - important for this low level code with syscalls.</li><li>Forking and cloning doesn&rsquo;t cause any problems as long as each process is reliably exited (not returned from).</li></ul></li><li><p>Began writing assertion tests for the flags of the Linux syscall <code>clone3</code>. Important as many of these have what I consider surprising behaviour going from just the names. <code>clone3</code> and the resultant processes/namespaces are going to be the majority of process separation in this project.</p><ul><li><p><a href=https://gitea.hillion.co.uk/JakeHillion/ocaml-cgroups2/src/branch/assertions/assertions/namespaces/fs><code>CLONE_FS</code></a>: Links specific bits of filesystem metadata, such as the PWD of the processes.</p><ul><li>Importantly this is cloned in a copy-on-write way regardless of the flag, but the <code>CLONE_FS</code> flag keeps the two processes linked.</li></ul></li><li><p><a href=https://gitea.hillion.co.uk/JakeHillion/ocaml-cgroups2/src/branch/assertions/assertions/namespaces/files><code>CLONE_FILES</code></a>: Links the file descriptor tables of the processes.</p><ul><li>Again, this is copy-on-write - all fds are inherited without this flag, as the same underlying file descriptors, but this flag ensures that new ones are shared.</li><li>Tricky to test, as IPC is required to pass the file descriptors around.</li></ul></li><li><p><a href=https://gitea.hillion.co.uk/JakeHillion/ocaml-cgroups2/src/branch/assertions/assertions/namespaces/mount><code>CLONE_NEWNS</code></a>: Place a cloned process into a new mount namespace.</p><ul><li>Copy-on-write: has all existing mounts of the parent namespace. Perhaps the solution is to clone twice but give the second clone the original parent? That way the first cloned process can unmount all filesystems in the new namespace, then the ne
update blog.hillion.co.uk
2023-01-07 22:30:40 +00:00
<span>Powered by
<a href=https://gohugo.io/ rel="noopener noreferrer" target=_blank>Hugo</a> &
<a href=https://git.io/hugopapermod rel=noopener target=_blank>PaperMod</a></span></footer><a href=#top aria-label="go to top" title="Go to Top (Alt + G)" class=top-link id=top-link accesskey=g><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 6" fill="currentcolor"><path d="M12 6H0l6-6z"/></svg></a><script>let menu=document.getElementById("menu");menu&&(menu.scrollLeft=localStorage.getItem("menu-scroll-position"),menu.onscroll=function(){localStorage.setItem("menu-scroll-position",menu.scrollLeft)}),document.querySelectorAll('a[href^="#"]').forEach(e=>{e.addEventListener("click",function(e){e.preventDefault();var t=this.getAttribute("href").substr(1);window.matchMedia("(prefers-reduced-motion: reduce)").matches?document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView():document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView({behavior:"smooth"}),t==="top"?history.replaceState(null,null," "):history.pushState(null,null,`#${t}`)})})</script><script>var mybutton=document.getElementById("top-link");window.onscroll=function(){document.body.scrollTop>800||document.documentElement.scrollTop>800?(mybutton.style.visibility="visible",mybutton.style.opacity="1"):(mybutton.style.visibility="hidden",mybutton.style.opacity="0")}</script><script>document.getElementById("theme-toggle").addEventListener("click",()=>{document.body.className.includes("dark")?(document.body.classList.remove("dark"),localStorage.setItem("pref-theme","light")):(document.body.classList.add("dark"),localStorage.setItem("pref-theme","dark"))})</script></body></html>
Reference in New Issue Copy Permalink