All of lore.kernel.org
 help / color / mirror / Atom feed
From: Jean-Marc Pigeon <jmp-4qkeo2rQ0gg@public.gmane.org>
To: Matt Helsley <matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
Cc: Linux Containers <containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>
Subject: Re: [PATCH 1/1] Syslog are now containerized
Date: Sat, 13 Feb 2010 16:56:16 -0500	[thread overview]
Message-ID: <1266098176.19130.320.camel@Mercier.safe.ca> (raw)
In-Reply-To: <20100213203610.GA3714-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>

Hello,

[...]
> Tracking all of these accesses down and ensuring they are only done
> from "its container context" is difficult or impossible. It's not as
> easy as you seem to think. In some cases the same resource could be
> shared between containers. Which should we access it from then?

	How come?! ressources (a device, Iptable rules,...)
	containerized within one container could be shared by 
	another unrelated container?.

	Does this means (simple example) someone change
	iptable rules for one container that could change 
	another unrelated container behavior ?!...no way...
	This only case is a sub-container (a container
	within a container), but in such case we are 
	are in the HOST: versus CONT: situation. Device
	will be controlled by CONT: even is used by SUBCONT:
	All depends where the device is defined (where
	is the definition responsability?, that the question
	to assign syslog..., usage is another story).

> 
> > 	Keep in mind, A fully containerized system can be managed
> > 	by someone with full privilege BUT NOT in charge of 
> > 	the host itself (IE: without host access).
> 
> Sure. (We're not there yet but I think we'd like to get
> there eventually.)
> 
> > 	My proposal is a clear cut, if a ressource is containerized 
> > 	report to CONT: (containerized) syslog... no question ask.
> 
> That part of the proposal is simple and makes alot of sense. The
> ramifcations of it on kernel code are not simple and often there's
> no clean way to do it.
	Well, this trouble me somewhat....
	2.6.18-128.2.1.el5.028stab064.7 (just an example, I am using
	day to day), is containerising iptables an other syslogs 
	nice way....,
	We are now 2.6.33 you are telling me what was experimented,
	learned, monthssss ago can't still be implemented 
	in current kernel main stream?.... 


-- 
A bientôt
==========================================================================
Jean-Marc Pigeon                                   Internet: jmp@safe.ca
SAFE Inc.                                          Phone: (514) 493-4280
                                                   Fax:   (514) 493-1946
        Clement, 'a kiss solution' to get rid of SPAM (at last)
           Clement' Home base <"http://www.clement.safe.ca">
==========================================================================

_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers

  parent reply	other threads:[~2010-02-13 21:56 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-02-11  6:00 [PATCH 1/1] Syslog are now containerized Jean-Marc Pigeon
     [not found] ` <201002110552.o1B5qwbL024561-X4ZF2iejbABnc3BsFfMrZw@public.gmane.org>
2010-02-11 17:48   ` Serge E. Hallyn
     [not found]     ` <20100211174843.GF6884-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2010-02-13 18:11       ` Matt Helsley
     [not found]         ` <20100213181158.GY3714-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-02-13 18:26           ` Matt Helsley
2010-02-13 19:14           ` Jean-Marc Pigeon
     [not found]             ` <1266088499.19130.295.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-02-13 20:36               ` Matt Helsley
     [not found]                 ` <20100213203610.GA3714-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-02-13 21:56                   ` Jean-Marc Pigeon [this message]
     [not found]                     ` <1266098176.19130.320.camel-4BUXZ/Ty1v7iqR6jatDSCA@public.gmane.org>
2010-02-13 22:33                       ` Matt Helsley
     [not found]                         ` <20100213223306.GB3714-52DBMbEzqgQ/wnmkkaCWp/UQ3DHhIser@public.gmane.org>
2010-02-14  0:51                           ` Jean-Marc Pigeon
2010-02-13 15:50   ` Matt Helsley
2010-02-13 19:13   ` Eric W. Biederman
     [not found]     ` <m1pr49ne3y.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-02-17 15:01       ` Jean-Marc Pigeon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1266098176.19130.320.camel@Mercier.safe.ca \
    --to=jmp-4qkeo2rq0gg@public.gmane.org \
    --cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
    --cc=matthltc-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.