Can I move a kernel thread from one namespace to another?

Question

Our situation is:

1. First we have a kernel thread (say KS) that starts to run when kernel starts to run;
2. Then when system is ready, we create another namespace (say NS1) that has a different mntns with LXC.

Our requirement is the KS need to write something in a path that can only seen by NS1. So I'm thinking can I move the KS to the NS1 namespace (at least change the mount namespace)? If yes, how? I have checked the setns() syscall and its kernel source code, but still don't know how to do it (either in user-space or change the KS source code), and even not sure if this is the right way to solve the problem.

My other question is: my understanding is that a kernel task (e.g., kernel threads) aware "namespace" if it is in process context, but my friend thinks that the "namespace" is a user-space concept, all kernel staff knows only about the root namespace. Which one is correct?

Answer 1

No it is not the right way to solve your problem. The whole idea of writing to any namespace from the kernel thread is bad, as explained in detail here: http://www.linuxjournal.com/article/8110. You should do it from the user space, after you enter the required mount name space by using the setns(2) syscall. The setns(2) man page has an example code to do that.

The answer to your other question is your friend is wrong; the name space setup and relevant processing is done inside the kernel, by the kernel, thus the kernel must know everything about all of the name spaces. Each task's struct_task contains nsproxy struct member with all of the relevant pointers to the respective name space data structures -- these are kernel-only data structures. The user space actually does not know anything about this (other than having requested it in the clone()). In case of the mount name space, the user process is handed a mount table: either the same one as that of the parent, or a private copy if a new mount name space has been requested by clone(flags=CLONE_NEWNS). Either way the user process just uses whatever mount table (structures) it was handed, and the kernel manages the name space details without the user being aware of it.