From: Herbert Poetzl <herbert@13thfloor.at>
To: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: Al Viro <viro@ftp.linux.org.uk>, Andi Kleen <ak@suse.de>,
linux-kernel@vger.kernel.org,
"Eric W. Biederman" <ebiederm@xmission.com>,
dev@sw.ru, sam@vilain.net, xemul@sw.ru, haveblue@us.ibm.com,
clg@fr.ibm.com, frankeh@us.ibm.com
Subject: Re: [PATCH 1/9] nsproxy: Introduce nsproxy
Date: Wed, 10 May 2006 14:20:38 +0200 [thread overview]
Message-ID: <20060510122038.GC30809@MAIL.13thfloor.at> (raw)
In-Reply-To: <20060510115520.GA25720@sergelap.austin.ibm.com>
On Wed, May 10, 2006 at 06:55:21AM -0500, Serge E. Hallyn wrote:
> Quoting Al Viro (viro@ftp.linux.org.uk):
> > On Tue, May 09, 2006 at 09:11:29PM -0500, Serge E. Hallyn wrote:
> > > Introduce the nsproxy struct. Doesn't do anything yet, but has it's
> > > own lifecycle pretty much mirrorring the fs namespace.
> > >
> > > Subsequent patches will move the namespace struct into the nsproxy.
> > > Then as more namespaces are introduced, such as utsname, they can
> > > be added to the nsproxy as well.
> >
> > Is there any reason why those can't be simply part of namespace? I.e.
> > be carried by the stuff mounted in standard places...
>
> The argument has been that it is desirable to be able to unshare these
> namespaces - uid, pid, network, sysv, utsname, fs-namespace -
> separately. Are you talking about having these all be part of a single
> namespace unshared all at once (and stored in struct namespace)? Or am
> I misunderstandimg you entirely?
the straight forward approach was to have N (currently nine?)
different 'spaces' all referenced by a task, and the latest
idea to optimize that (Andi made that some requirement IIRC)
was to have one structure referenced by the task struct,
which holds the references to those 'spaces'
> Andi Kleen (I believe) thinks it should be like that, all or nothing. I
> think Herbert Poetzl had current examples where vserver is used to
> unshare just pieces, i.e. apache unsharing network but sharing global
> pidspace.
we (Linux-VServer) basically consider the various 'spaces'
building blocks (or smallest units) to build larger
environments which are isolated or virtualized in some
aspects, but not all of them.
think of it as: chroot(), chnamespace, chcontext, chbind, ...
existing examples (just to get the idea) are:
- cooperating applications which are limited to a subset
of the available network addresses
- strictly isolated (pid and resources) services on the
same filesystem and network
best,
Herbert
> thanks,
> -serge
next prev parent reply other threads:[~2006-05-10 12:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <29vfyljM.2006059-s@us.ibm.com>
2006-05-10 2:11 ` [PATCH 1/9] nsproxy: Introduce nsproxy Serge E. Hallyn
2006-05-10 10:00 ` Al Viro
2006-05-10 11:55 ` Serge E. Hallyn
2006-05-10 12:20 ` Herbert Poetzl [this message]
2006-05-10 18:45 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060510122038.GC30809@MAIL.13thfloor.at \
--to=herbert@13thfloor.at \
--cc=ak@suse.de \
--cc=clg@fr.ibm.com \
--cc=dev@sw.ru \
--cc=ebiederm@xmission.com \
--cc=frankeh@us.ibm.com \
--cc=haveblue@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sam@vilain.net \
--cc=serue@us.ibm.com \
--cc=viro@ftp.linux.org.uk \
--cc=xemul@sw.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox