summaryrefslogtreecommitdiffhomepage
path: root/src/nxt_clone.h (unfollow)
AgeCommit message (Collapse)AuthorFilesLines
2020-05-28Added "rootfs" feature.Tiago Natel de Moura1-0/+3
2020-03-09Refactor of process management.Tiago Natel de Moura1-6/+8
The process abstraction has changed to: setup(task, process) start(task, process_data) prefork(task, process, mp) The prefork() occurs in the main process right before fork. The file src/nxt_main_process.c is completely free of process specific logic. The creation of a process now supports a PROCESS_CREATED state. The The setup() function of each process can set its state to either created or ready. If created, a MSG_PROCESS_CREATED is sent to main process, where external setup can be done (required for rootfs under container). The core processes (discovery, controller and router) doesn't need external setup, then they all proceeds to their start() function straight away. In the case of applications, the load of the module happens at the process setup() time and The module's init() function has changed to be the start() of the process. The module API has changed to: setup(task, process, conf) start(task, data) As a direct benefit of the PROCESS_CREATED message, the clone(2) of processes using pid namespaces now doesn't need to create a pipe to make the child block until parent setup uid/gid mappings nor it needs to receive the child pid.
2019-12-06Isolation: allowed the use of credentials with unpriv userns.Tiago Natel1-2/+38
The setuid/setgid syscalls requires root capabilities but if the kernel supports unprivileged user namespace then the child process has the full set of capabilities in the new namespace, then we can allow setting "user" and "group" in such cases (this is a common security use case). Tests were added to ensure user gets meaningful error messages for uid/gid mapping misconfigurations.
2019-09-19Initial applications isolation support using Linux namespaces.Tiago de Bem Natel de Moura1-0/+17