Fedora 35 uses pure cgroups2 by default - very useful! Sorted out backups for the repo and the above machine. Chose a testing framework for C enabling testing of the assertions to build the project upon.
Used Unity. Simple and the examples show that it doesn’t do much beyond the minimum - important for this low level code with syscalls."><metaname=authorcontent="Jake Hillion"><linkrel=canonicalhref=https://blog.hillion.co.uk/posts/weekly-2022-01-03/><linkcrossorigin=anonymoushref=/assets/css/stylesheet.min.48a18943c2fc15c38a372b8dde1f5e5dc0bc64fa6cb90f5a817d2f8c76b7f3ae.cssintegrity="sha256-SKGJQ8L8FcOKNyuN3h9eXcC8ZPpsuQ9agX0vjHa3864="rel="preload stylesheet"as=style><scriptdefercrossorigin=anonymoussrc=/assets/js/highlight.min.b95bacdc39e37a332a9f883b1e78be4abc1fdca2bc1f2641f55e3cd3dabd4d61.jsintegrity="sha256-uVus3DnjejMqn4g7Hni+Srwf3KK8HyZB9V4809q9TWE="onload=hljs.initHighlightingOnLoad()></script>
<script>vardoNotTrack=!1;if(!doNotTrack){window.dataLayer=window.dataLayer||[];functiongtag(){dataLayer.push(arguments)}gtag("js",newDate),gtag("config","G-4CXXF49E7M",{anonymize_ip:!1})}</script><metaproperty="og:title"content="Jake's Weekly - 3rd Jan 2022"><metaproperty="og:description"content="ResearchProjectProcessIsolationSetupaFedoratestingVMforeasierandconsistenttesting.
Fedora 35 uses pure cgroups2 by default - very useful! Sorted out backups for the repo and the above machine. Chose a testing framework for C enabling testing of the assertions to build the project upon.
Used Unity. Simple and the examples show that it doesn’t do much beyond the minimum - important for this low level code with syscalls."><metaproperty="og:type"content="article"><metaproperty="og:url"content="https://blog.hillion.co.uk/posts/weekly-2022-01-03/"><metaproperty="article:section"content="posts"><metaproperty="article:published_time"content="2022-01-01T11:00:00+00:00"><metaproperty="article:modified_time"content="2022-01-01T11:00:00+00:00"><metaproperty="og:site_name"content="Jake Hillion"><metaname=twitter:cardcontent="summary"><metaname=twitter:titlecontent="Jake's Weekly - 3rd Jan 2022"><metaname=twitter:descriptioncontent="ResearchProjectProcessIsolationSetupaFedoratestingVMforeasierandconsistenttesting.
Fedora 35 uses pure cgroups2 by default - very useful! Sorted out backups for the repo and the above machine. Chose a testing framework for C enabling testing of the assertions to build the project upon.
Used Unity. Simple and the examples show that it doesn’t do much beyond the minimum - important for this low level code with syscalls."><scripttype=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Posts","item":"https://blog.hillion.co.uk/posts/"},{"@type":"ListItem","position":2,"name":"Jake's Weekly - 3rd Jan 2022","item":"https://blog.hillion.co.uk/posts/weekly-2022-01-03/"}]}</script><scripttype=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"Jake'sWeekly-3rdJan2022","name":"Jake\u0027sWeekly-3rdJan2022","description":"ResearchProjectProcessIsolationSetupaFedoratestingVMforeasierandconsistenttesting.\nFedora35usespurecgroups2bydefault-veryuseful!Sortedoutbackupsfortherepoandtheabovemachine.ChoseatestingframeworkforCenablingtestingoftheassertionstobuildtheprojectupon.\nUsedUnity.Simpleandtheexamplesshowthatitdoesn\u0026rsquo;tdomuchbeyondtheminimum-importantforthislowlevelcodewithsyscalls.","keywords":[],"articleBody":"ResearchProjectProcessIsolationSetupaFedoratestingVMforeasierandconsistenttesting.\nFedora35usespurecgroups2bydefault-veryuseful!Sortedoutbackupsfortherepoandtheabovemachine.ChoseatestingframeworkforCenablingtestingoftheassertionstobuildtheprojectupon.\nUsedUnity.Simpleandtheexamplesshowthatitdoesn’tdomuchbeyondtheminimum-importantforthislowlevelcodewithsyscalls.Forkingandcloningdoesn’tcauseanyproblemsaslongaseachprocessisreliablyexited(notreturnedfrom).BeganwritingassertiontestsfortheflagsoftheLinuxsyscallclone3.ImportantasmanyofthesehavewhatIconsidersurprisingbehaviourgoingfromjustthenames.clone3andtheresultantprocesses/namespacesaregoingtobethemajorityofprocessseparationinthisproject.\nCLONE_FS:Linksspecificbitsoffilesystemmetadata,suchasthePWDoftheprocesses.\nImportantlythisisclonedinacopy-on-writewayregardlessoftheflag,buttheCLONE_FSflagkeepsthetwoprocesseslinked.CLONE_FILES:Linksthefiledescriptortablesoftheprocesses.\nAgain,thisiscopy-on-write-allfdsareinheritedwithoutthisflag,asthesameunderlyingfiledescriptors,butthisflagensuresthatnewonesareshared.Trickytotest,asIPCisrequiredtopassthefiledescriptorsaround.CLONE_NEWNS:Placeaclonedprocessintoanewmountnamespace.\nCopy-on-write:hasallexistingmountsoftheparentnamespace.Perhapsthesolutionistoclonetwicebutgivethesecondclonetheoriginalparent?Thatwaythefirstclonedprocesscanunmountallfilesystemsinthenewnamespace,thenthenew-newnamespacewillbecreatedwithnomounts.Otherwise,unmountintheprivilegedsectionbeforehandingoffcontroloftheclone.Filesystemsmarkedassharedandmountedunderbasicallyignorethenewnamespace-thenewfilesystemisstillpropagatedback.Bothmy/tmptmpfs,whichI’vebeenusing,andmy/rootaremountedasshared.Thisiscertainlyatrickyonetogetmyheadaround.RequiresCAP_SYS_ADMIN.CLONE_NEWCGROUP:Placeaclonedprocessintoanewcgroupnamespace.\nBasicallyachrootforthecgroupdirectorystructure.RequiresCAP_SYS_ADMIN.CLONE_NEWNET:Placeaclonedprocessintoanewnetworknamespace.\nThenewnetnamespacehasonlyaloopbackadapterinit,whichisdownbydefault.Thoughaprocessonlyhasonenetworknamespace,thesecanbelinkedwithsomework,allowingforprettycomplexseparation.RequiresCAP_SYS_ADMIN.CLONE_NEWPID:CreatesaprocessinanewPIDnamespace.\nProcessappearswithPID1initsnewnamespace(itbelievesitistheinitprocess).RequiresCAP_SYS_ADMIN.CLONE_IO:HavethetwoprocessesshareanI/Ocontext.\nThisoneisgoingtobeparticularlytrickytoexamineinaunit-testlikeformat,soI’msavinglookingmoreintoitforlater.Itappearstobesolelyforperformanceoptimisation,b
<spanclass=logo-switches><buttonid=theme-toggleaccesskey=ttitle="(Alt + T)"><svgid="moon"xmlns="http://www.w3.org/2000/svg"width="24"height="24"viewBox="0 0 24 24"fill="none"stroke="currentcolor"stroke-width="2"stroke-linecap="round"stroke-linejoin="round"><pathd="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svgid="sun"xmlns="http://www.w3.org/2000/svg"width="24"height="24"viewBox="0 0 24 24"fill="none"stroke="currentcolor"stroke-width="2"stroke-linecap="round"stroke-linejoin="round"><circlecx="12"cy="12"r="5"/><linex1="12"y1="1"x2="12"y2="3"/><linex1="12"y1="21"x2="12"y2="23"/><linex1="4.22"y1="4.22"x2="5.64"y2="5.64"/><linex1="18.36"y1="18.36"x2="19.78"y2="19.78"/><linex1="1"y1="12"x2="3"y2="12"/><linex1="21"y1="12"x2="23"y2="12"/><linex1="4.22"y1="19.78"x2="5.64"y2="18.36"/><linex1="18.36"y1="5.64"x2="19.78"y2="4.22"/></svg></button></span></div><ulid=menu><li><ahref=https://blog.hillion.co.uk/categories/title=categories><span>categories</span></a></li><li><ahref=https://blog.hillion.co.uk/tags/title=tags><span>tags</span></a></li></ul></nav></header><mainclass=main><articleclass=post-single><headerclass=post-header><divclass=breadcrumbs><ahref=https://blog.hillion.co.uk/>Home</a> » <ahref=https://blog.hillion.co.uk/posts/>Posts</a></div><h1class=post-title>Jake's Weekly - 3rd Jan 2022</h1><divclass=post-meta><spantitle='2022-01-01 11:00:00 +0000 UTC'>January 1, 2022</span> · 5 min · Jake Hillion</div></header><divclass=post-content><h2id=research-project>Research Project<ahiddenclass=anchoraria-hidden=truehref=#research-project>#</a></h2><h3id=process-isolation>Process Isolation<ahiddenclass=anchoraria-hidden=truehref=#process-isolation>#</a></h3><ul><li><p>Setup a Fedora testing VM for easier and consistent testing.</p><ul><li>Fedora 35 uses pure cgroups2 by default - very useful!</li><li>Sorted out backups for the repo and the above machine.</li></ul></li><li><p>Chose a testing framework for C enabling testing of the assertions to build the project upon.</p><ul><li>Used <ahref=http://www.throwtheswitch.org/unity>Unity</a>. Simple and the examples show that it doesn’t do much beyond the minimum - important for this low level code with syscalls.</li><li>Forking and cloning doesn’t cause any problems as long as each process is reliably exited (not returned from).</li></ul></li><li><p>Began writing assertion tests for the flags of the Linux syscall <code>clone3</code>. Important as many of these have what I consider surprising behaviour going from just the names. <code>clone3</code> and the resultant processes/namespaces are going to be the majority of process separation in this project.</p><ul><li><p><ahref=https://gitea.hillion.co.uk/JakeHillion/ocaml-cgroups2/src/branch/assertions/assertions/namespaces/fs><code>CLONE_FS</code></a>: Links specific bits of filesystem metadata, such as the PWD of the processes.</p><ul><li>Importantly this is cloned in a copy-on-write way regardless of the flag, but the <code>CLONE_FS</code> flag keeps the two processes linked.</li></ul></li><li><p><ahref=https://gitea.hillion.co.uk/JakeHillion/ocaml-cgroups2/src/branch/assertions/assertions/namespaces/files><code>CLONE_FILES</code></a>: Links the file descriptor tables of the processes.</p><ul><li>Again, this is copy-on-write - all fds are inherited without this flag, as the same underlying file descriptors, but this flag ensures that new ones are shared.</li><li>Tricky to test, as IPC is required to pass the file descriptors around.</li></ul></li><li><p><ahref=https://gitea.hillion.co.uk/JakeHillion/ocaml-cgroups2/src/branch/assertions/assertions/namespaces/mount><code>CLONE_NEWNS</code></a>: Place a cloned process into a new mount namespace.</p><ul><li>Copy-on-write: has all existing mounts of the parent namespace. Perhaps the solution is to clone twice but give the second clone the original parent? That way the first cloned process can unmount all filesystems in the new namespace, then the ne
<ahref=https://git.io/hugopapermodrel=noopenertarget=_blank>PaperMod</a></span></footer><ahref=#toparia-label="go to top"title="Go to Top (Alt + G)"class=top-linkid=top-linkaccesskey=g><svgxmlns="http://www.w3.org/2000/svg"viewBox="0 0 12 6"fill="currentcolor"><pathd="M12 6H0l6-6z"/></svg></a><script>letmenu=document.getElementById("menu");menu&&(menu.scrollLeft=localStorage.getItem("menu-scroll-position"),menu.onscroll=function(){localStorage.setItem("menu-scroll-position",menu.scrollLeft)}),document.querySelectorAll('a[href^="#"]').forEach(e=>{e.addEventListener("click",function(e){e.preventDefault();vart=this.getAttribute("href").substr(1);window.matchMedia("(prefers-reduced-motion: reduce)").matches?document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView():document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView({behavior:"smooth"}),t==="top"?history.replaceState(null,null," "):history.pushState(null,null,`#${t}`)})})</script><script>varmybutton=document.getElementById("top-link");window.onscroll=function(){document.body.scrollTop>800||document.documentElement.scrollTop>800?(mybutton.style.visibility="visible",mybutton.style.opacity="1"):(mybutton.style.visibility="hidden",mybutton.style.opacity="0")}</script><script>document.getElementById("theme-toggle").addEventListener("click",()=>{document.body.className.includes("dark")?(document.body.classList.remove("dark"),localStorage.setItem("pref-theme","light")):(document.body.classList.add("dark"),localStorage.setItem("pref-theme","dark"))})</script></body></html>