<div dir="ltr">Maybe I'm misunderstanding the issue?<div><br></div><div>I thought the reason there is no version check currently, is because a check is being made to see if the process is in the same namespace as root for the net namespace (as a proxy to checking that the mount namespace is being used).</div><div><br></div><div>The comment indicates that one could check the mount namespace, but that would require a kernel 3.8+.</div><div><br></div><div>My question was whether we should check the mount namespace and therefore require a kernel of 3.8+?</div><div><br></div><div>Maybe it is just easier to stick with (C).</div><div><br></div><div>Thoughts? Should this review move forward as-is?</div><div><br></div><div>Regards,</div><div><br></div><div>PCM</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr">PCM (Paul Michali)</div><div dir="ltr"><div><br></div><div>IRC............ pc_m (<a href="http://irc.freenode.com" target="_blank">irc.freenode.com</a>)<br>Twitter....... @pmichali</div><div><br></div></div></div></div></div></div>
<br><div class="gmail_quote">On Fri, Jan 23, 2015 at 10:37 AM, Kyle Mestery <span dir="ltr"><<a href="mailto:mestery@mestery.com" target="_blank">mestery@mestery.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">According to the patch author, the check isn't necessary at all.<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 23, 2015 at 7:12 AM, Paul Michali <span dir="ltr"><<a href="mailto:pc@michali.net" target="_blank">pc@michali.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">To summarize, should we...<div><br></div><div>A) Assume all kernels will be 3.8+ and use mount namespace (risky?)</div><div>B) Do a check to ensure kernel is 3.8+ and fall back to net namespace and mount --bind if not (more work).</div><div>C) Just use net namespace as indication that namespace with mount --bind done (simple)</div><div><br></div><div>Maybe it is best to just do the simple thing for now. I wanted to double check though, to see if the alternatives could/should be considered.</div><div><br></div><div>Regards,</div><div><br></div><div>PCM</div><div><br></div></div><div class="gmail_extra"><span><br clear="all"><div><div><div dir="ltr"><div><div dir="ltr">PCM (Paul Michali)</div><div dir="ltr"><div><br></div><div>IRC............ pc_m (<a href="http://irc.freenode.com" target="_blank">irc.freenode.com</a>)<br>Twitter....... @pmichali</div><div><br></div></div></div></div></div></div>
<br></span><div><div><div class="gmail_quote">On Fri, Jan 23, 2015 at 1:35 AM, Joshua Zhang <span dir="ltr"><<a href="mailto:joshua.zhang@canonical.com" target="_blank">joshua.zhang@canonical.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">pls note that actually this patch doesn't have minumum kernel requirement because it only uses 'mount --bind' and 'net namespace', not use 'mount namespace'. ('mount --bind' is since linux 2.4, 'net namespace' is since Linux 3.0, 'mount namespace' is since Linux 3.8).<br><br>so I think sanity checks for 3.8 is not need, any thoughts ? <br><br>thanks.<br><br></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Fri, Jan 23, 2015 at 2:12 PM, Kevin Benton <span dir="ltr"><<a href="mailto:blak111@gmail.com" target="_blank">blak111@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span>>If we can consolidate that and use a single tool from the master neutron repository, that would be my vote. <div><br></div></span><div>+1 with a hook mechanism so the sanity checks stay in the *aas repos and they are only run if installed. </div><span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><blockquote type="cite"><span style="font-size:12.8000001907349px"></span><div dir="ltr" style="font-size:12.8000001907349px"></div></blockquote></div></blockquote></span></div><div class="gmail_extra"><div><div><br><div class="gmail_quote">On Thu, Jan 22, 2015 at 7:30 AM, Kyle Mestery <span dir="ltr"><<a href="mailto:mestery@mestery.com" target="_blank">mestery@mestery.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span>On Wed, Jan 21, 2015 at 10:27 AM, Ihar Hrachyshka <span dir="ltr"><<a href="mailto:ihrachys@redhat.com" target="_blank">ihrachys@redhat.com</a>></span> wrote:<br></span><div class="gmail_extra"><div class="gmail_quote"><span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span>
On 01/20/2015 05:40 PM, Paul Michali wrote:<br>
<blockquote type="cite">
<div dir="ltr">Review <a href="https://review.openstack.org/#/c/146508/" target="_blank">https://review.openstack.org/#/c/146508/</a>
is adding support for StrongSwan VPN, which needs mount bind to
be able to specify different paths for config files.
<div><br>
</div>
<div>The code, which used some older patch, does a test for
/proc/1/ns/net, instead of /proc/1/ns/mnt, because it stated
that the latter is only supported in kernel 3.8+. That was a
while ago, and I'm wondering if the condition is still true.
If we know that for Kilo and on, we'll be dealing with 3.8+
kernels, we could use the more accurate test.</div>
<div><br>
</div>
<div>Can we require 3.8+ kernel for this?</div>
</div>
</blockquote>
<br></span>
I think we can but it's better to check with distributions. Red Hat
wise, we ship a kernel that is newer than 3.8.<span><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>If so, how and where do we ensure that is true?</div>
</div>
</blockquote>
<br></span>
Ideally, you would implement a sanity check for the feature you need
from the kernel. Though it opens a question of whether we want to
ship multiple sanity check tools for each of repos (neutron + 3 *aas
repos).<br>
<br></div></blockquote></span><div>If we can consolidate that and use a single tool from the master neutron repository, that would be my vote. <br></div><span><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
<blockquote type="cite"><span>
<div dir="ltr">
<div><br>
</div>
<div>Also, if you can kindly review the code here: <a href="https://review.openstack.org/#/c/146508/5/neutron_vpnaas/services/vpn/common/netns_wrapper.py" target="_blank">https://review.openstack.org/#/c/146508/5/neutron_vpnaas/services/vpn/common/netns_wrapper.py</a>,
I'd really appreciate it, as I'm not versed in the Linux proc
files at all.</div>
<div><br>
</div>
<div>Thanks!</div>
<div><br>
</div>
<div><br clear="all">
<div>
<div>
<div dir="ltr">
<div>
<div dir="ltr">PCM (Paul Michali)</div>
<div dir="ltr">
<div><br>
</div>
<div>IRC............ pc_m (<a href="http://irc.freenode.com" target="_blank">irc.freenode.com</a>)<br>
Twitter....... @pmichali</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</span><pre>__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></span></div><br></div></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br><div><div>Kevin Benton</div></div>
</font></span></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br></div></div><div><div dir="ltr"><div>Best Regards</div><div>Zhang Hua(张华)</div><div>Software Engineer | Canonical</div><div>IRC: zhhuabj</div></div></div>
</div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div></div>
<br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
</div></div><br>__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>