From: Oren Laadan <orenl-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
To: "Eric W. Biederman" <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
Cc: containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
Peter Dolding <oiaohm-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Subject: Re: Roadmap for features planed for containers where and Some future features ideas.
Date: Tue, 22 Jul 2008 10:05:27 -0400 [thread overview]
Message-ID: <4885E927.7070505@cs.columbia.edu> (raw)
In-Reply-To: <m1y73uk8qc.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
Eric W. Biederman wrote:
> "Peter Dolding" <oiaohm-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
>
>> On Mon, Jul 21, 2008 at 10:13 PM, Eric W. Biederman
>> <ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org> wrote:
>>> "Peter Dolding" <oiaohm-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> writes:
>>>
>>>> http://opensolaris.org/os/community/brandz/ I would like to see if
>>>> something equal to this is on the roadmap in particular. Being able
>>>> to run solaris and aix closed source binaries contained would be
>>>> useful.
>>> There have been projects to do this at various times on linux. Having
>>> a namespace dedicated to a certain kind of application is no big deal.
>>> Someone would need to care enough to test and implement it though.
>>>
>>>> Other useful feature is some way to share a single process between PID
>>>> containers as like a container bridge. For containers used for
>>>> desktop applications not having a single X11 server interfacing with
>>>> video card is a issue.
>>> X allows network connections, and I think unix domain sockets will work.
>>> The latter I need to check on.
>> Does to a point until you see that local X11 is using shared memory
>> for speed. Hardest issue is getting GLX working.
>
> That is easier in general. Don't unshare the sysvipc namespace.
> Or share the mount of /dev/shmem at least for the file X cares about.
>
>>> The pid namespace is well defined and no a task will not be able
>>> to change it's pid namespace while running. That is nasty.
>> Ok if that is imposable to extremely risky.
>>
>> What about a form of a proxy pid in the pid namespace proxying
>> application chatter between 1 name space to another. Applications
>> being the bridge if its not possible to do it invisible to application
>> could be made aware of it. So they can provide shared memory and the
>> like across pid namespaces. But only where they have a activated proxy
>> to do there bidding. This also allows applications to maintain there
>> own internal secuirty between namespaces.
>>
>> Ie application is 1 pid number in its source container and virtual pid
>> numbers in the following containers. Symbolic linking at task level
>> yes a little warped. Yes this will annoying mean a special set of
>> syscalls and a special set of capabilities and restrictions. Like PID
>> containers starting up forbidding proxy pid's or allowing them.
>>
>> If I am thinking right that avoids not be able to change it's pid.
>> Instead sending and receiving the messages you need in the other name
>> space threw a small proxy. Yes I know that will cost some
>> performance.
>
> Proxy pids don't actually do anything for you, unless you want to send
> signals. Because all of the namespaces are distinct. So even at the
> best of it you can see the X server but it still can't use your
> network sockets or ipc shm.
>
> Better is working out the details on how to manipulate multiple
> sysvipc and network namespaces from a single application. Mostly
> that is supported now by the objects there is just no easy way
> of dealing with it.
>
>> Basically want to setup a neat universal container way of handling
>> stuff like http://www.cs.toronto.edu/~andreslc/xen-gl/ without having
>> to go network and hopefully in a way that limitations don't have to
>> exist since messages are really only be sent threw 1 X11 server to 1
>> driver system. Only thing is really sending the correct messages to
>> the correct place. There will most likely be other services were a
>> single entity at times is preferred. Worst out come is if proxying
>> .so is required.
>
> Yes. I agree that is essentially desirable. Given that I think
> high end video card actually have multiple hardware contexts that
> can be mapped into different user space processes there may be other
> ways of handling this.
>
> Ideally we can find a high performance solution to X that also gives
> us good isolation and migration properties. Certainly something to talk
> about tomorrow in the conference.
In particular, if you wish to share private resources of a container
between more than a single container, then you won't be able to use
checkpoint/restart on neither container (unless you make special
provisions in the code).
I agree with Eric that the way to handle this is via virtualization
as opposed to direct sharing. The same goes for other hardware, e.g.
in the context of a user desktop - /dev/rtc, sound, and so on. My
experience is that a proxy/virtualized device is what we probably
want.
Oren.
>
> Eric
>
> _______________________________________________
> Containers mailing list
> Containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org
> https://lists.linux-foundation.org/mailman/listinfo/containers
next prev parent reply other threads:[~2008-07-22 14:05 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-21 11:03 Roadmap for features planed for containers where and Some future features ideas Peter Dolding
[not found] ` <e7d8f83e0807210403g12b980e8jad4fa7e10d8b410e-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-07-21 12:13 ` Eric W. Biederman
[not found] ` <m1k5ffmo48.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-07-21 13:21 ` Peter Dolding
[not found] ` <e7d8f83e0807210621y74ef1307x1c0ecbfb33182e85-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-07-22 1:28 ` Eric W. Biederman
[not found] ` <m1y73uk8qc.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-07-22 14:05 ` Oren Laadan [this message]
[not found] ` <4885E927.7070505-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-07-23 0:56 ` Peter Dolding
[not found] ` <e7d8f83e0807221756y18ab14b6mfd8013b2e3424257-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-07-24 18:32 ` Oren Laadan
[not found] ` <4888CACB.1000600-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2008-07-25 3:32 ` Peter Dolding
[not found] ` <e7d8f83e0807242032p3c93b3dbqcd5f4d44aad9ca6f-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-07-26 7:05 ` Eric W. Biederman
[not found] ` <m1od4lruq8.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-07-26 10:06 ` Peter Dolding
[not found] ` <e7d8f83e0807260306q194be9e9q53151abcea818624-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2008-07-26 13:56 ` Eric W. Biederman
[not found] ` <m14p6cpx42.fsf-B27657KtZYmhTnVgQlOflh2eb7JE58TQ@public.gmane.org>
2008-07-27 5:17 ` Peter Dolding
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4885E927.7070505@cs.columbia.edu \
--to=orenl-eqauephvms7envbuuze7ea@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=oiaohm-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox