Skip to content

rootless: use nsfs file handles to persist namespaces #27880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
giuseppe wants to merge 1 commit into
base: main
Choose a base branch
from
Open

rootless: use nsfs file handles to persist namespaces #27880

giuseppe wants to merge 1 commit into from

Conversation

@giuseppe
Copy link
Member

@giuseppe giuseppe commented Jan 8, 2026

use name_to_handle_at and open_by_handle_at to persist rootless namespaces without needing a pause process.

The namespace file handles are stored in a file and can be used to rejoin the namespaces, as long as the namespaces still exist.

Fall back to the pause process approach only when the kernel doesn't support nsfs handles (EOPNOTSUPP).

These changes in the kernel are required (landed in Linux 6.18):

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ab378cfa793

Checklist

Ensure you have completed the following checklist for your pull request to be reviewed:

  • Certify you wrote the patch or otherwise have the right to pass it on as an open-source patch by signing all
    commits. (git commit -s). (If needed, use git commit -s --amend). The author email must match
    the sign-off email address. See CONTRIBUTING.md
    for more information.
  • Referenced issues using Fixes: #00000 in commit message (if applicable)
  • Tests have been added/updated (or no tests are needed)
  • Documentation has been updated (or no documentation changes are needed)
  • All commits pass make validatepr (format/lint checks)
  • Release note entered in the section below (or None if no user-facing changes)

Does this PR introduce a user-facing change?

From Linux 6.18, rootless Podman won't create a "pause" process to keep the user and mount namespaces alive.

@giuseppe giuseppe force-pushed the drop-pause-process branch 10 times, most recently from 88d18ef to 65d8b55 Compare January 9, 2026 17:10
@packit-as-a-service
Copy link

packit-as-a-service bot commented Jan 9, 2026

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

2 similar comments
@packit-as-a-service
Copy link

packit-as-a-service bot commented Jan 9, 2026

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

@packit-as-a-service
Copy link

packit-as-a-service bot commented Jan 9, 2026

[NON-BLOCKING] Packit jobs failed. @containers/packit-build please check. Everyone else, feel free to ignore.

@giuseppe giuseppe force-pushed the drop-pause-process branch 2 times, most recently from d53f620 to 0dcca5e Compare January 9, 2026 23:36
@giuseppe giuseppe changed the title [WIP] rootless: use nsfs file handles to persist namespaces rootless: use nsfs file handles to persist namespaces Jan 10, 2026
@giuseppe giuseppe marked this pull request as ready for review January 10, 2026 22:02
@giuseppe
Copy link
Member Author

giuseppe commented Jan 12, 2026

@containers/podman-maintainers tests are passing, ready for review

baude
baude reviewed Jan 12, 2026
View reviewed changes
libpod/runtime_migrate_linux.go Outdated
}

nsHandlesPath := rootless.GetNamespaceHandlesPath(stateDir)
_ = os.Remove(nsHandlesPath)
Copy link
Member

@baude baude Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this be logged in any way?

Copy link
Member Author

@giuseppe giuseppe Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added a warning

baude
baude reviewed Jan 12, 2026
View reviewed changes
pkg/rootless/rootless.go

// GetNamespaceHandlesPath returns the path to the namespace handles file
// in the given state directory.
func GetNamespaceHandlesPath(stateDir string) string {
Copy link
Member

@baude baude Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would it be good to drop a couple of unit tests here to prevent regression?

Copy link
Member Author

@giuseppe giuseppe Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

@baude
Copy link
Member

baude commented Jan 12, 2026

LGTM, I had a couple of sideways questions that you can decide on ... we should get somebody with more C to review this too.

jankaluza
jankaluza reviewed Jan 12, 2026
View reviewed changes
pkg/rootless/rootless_linux.c Outdated
int p[2];
char pause_pid_file_path[PATH_MAX];

snprintf (pause_pid_file_path, PATH_MAX, "%s/pause.pid", state_dir);
Copy link
Member

@jankaluza jankaluza Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to also check for PATH_MAX here?

  if (ret >= PATH_MAX)
    {
      errno = ENAMETOOLONG;
      return -1;
    }

Copy link
Member Author

@giuseppe giuseppe Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, added

@mheon
Copy link
Member

mheon commented Jan 12, 2026

What does this look like when upgrading from an older Podman without a restart? Will the user need a system migrate to kill the existing pause process and make sure all rootless containers are using the new, correct rootless userns?

@giuseppe
Copy link
Member Author

giuseppe commented Jan 12, 2026
edited
Loading

What does this look like when upgrading from an older Podman without a restart? Will the user need a system migrate to kill the existing pause process and make sure all rootless containers are using the new, correct rootless userns?

no, it will automatically join the pause process as we do now, then save the file with the handles. There is no manual intervention required. It won't kill the pause process though, so it can be a problem if someone mixes different versions and restart the pause process

eriksjolund
eriksjolund reviewed Jan 13, 2026
View reviewed changes
@giuseppe giuseppe force-pushed the drop-pause-process branch 2 times, most recently from c852de4 to fdb0407 Compare January 14, 2026 09:13
@giuseppe
rootless: use nsfs file handles to persist namespaces
692410d 
use name_to_handle_at and open_by_handle_at to persist rootless
namespaces without needing a pause process.

The namespace file handles are stored in a file and can be used to
rejoin the namespaces, as long as the namespaces still exist.

Fall back to the pause process approach only when the kernel doesn't
support nsfs handles (EOPNOTSUPP).

These changes in the kernel are required (landed in Linux 6.18):

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3ab378cfa793

Signed-off-by: Giuseppe Scrivano <[email protected]>
@giuseppe
Copy link
Member Author

giuseppe commented Jan 14, 2026

comments addressed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@baude baude baude left review comments

+2 more reviewers

@eriksjolund eriksjolund eriksjolund left review comments

@jankaluza jankaluza jankaluza left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@giuseppe @baude @mheon @eriksjolund @jankaluza