From: Kirill Korotaev <dev@openvz.org>
To: Dave Hansen <haveblue@us.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
serue@us.ibm.com, frankeh@watson.ibm.com, clg@fr.ibm.com
Subject: Re: sysctls inside containers
Date: Fri, 10 Mar 2006 13:17:47 +0300 [thread overview]
Message-ID: <4411524B.1000707@openvz.org> (raw)
In-Reply-To: <1141442246.9274.14.camel@localhost.localdomain>
> Well, I at least got to the point of seeing how the sysctls interact
> when I tried to containerize them. Eric, I think the idea of the sysv
> code being nicely and completely isolated is pretty much gone, due to
> their connection to sysctls. I think I'll go back and just isolate the
> "struct ipc_ids" portion. We can do the accounting bits later.
>
> The patches I have will isolate the IDs, but I'm not sure how much sense
> that makes without doing the things like the shm_tot variable. Does
> anybody think we need to go after sysctls first, perhaps? Or, is this a
> problem graph with cycles in it? :)
>
> I don't see an immediately clear solution on how to containerize sysctls
> properly. The entire construct seems to be built around getting data
> from in and out of global variables and into /proc files.
>
> We obviously want to be rid of many of these global variables. So, does
> it make sense to introduce different classes of sysctls, at least
> internally? There are probably just two types: global, writable only
> from the root container and container-private. Does it make sense to
> have _both_? Perhaps a sysadmin
>
> Eric, can you think of how you would represent these in the hierarchical
> container model? How would they work?
>
> On another note, after messing with putting data in the init_task for
> these things, I'm a little more convinced that we aren't going to want
> to clutter up the task_struct with all kinds of containerized resources,
> _plus_ make all of the interfaces to share or unshare each of those.
> That global 'struct container' is looking a bit more attractive.
After checking proposed yours, Eric and vserver solutions, I must say
that these all are hacks.
If we want to virtualize sysctl we need to do it in honest way:
multiple sysctl trees, which can be different in different namespaces.
For example, one namespace can see /proc/sys/net/route and the other one
not. Introducing helpers/handlers etc. doesn't fully solve the problem
of visibility of different parts of sysctl tree and it's access rights.
Another example, the same network device can present in 2 namespaces and
these are dynamically(!) created entries in sysctl.
So we need to address actually 2 issues:
- ability to limit parts of sysctl tree visibility to namespace
- ability to limit/change sysctl access rights in namespace
You can check OpenVZ for cloning sysctl tree code. It is not clean, nor
elegant, but can be cleanuped.
Thanks,
Kirill
next prev parent reply other threads:[~2006-03-10 10:13 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-02-20 15:45 Which of the virtualization approaches is more suitable for kernel? Kirill Korotaev
2006-02-20 16:12 ` Herbert Poetzl
2006-02-21 16:00 ` Kirill Korotaev
2006-02-21 20:33 ` Sam Vilain
2006-02-21 23:50 ` Herbert Poetzl
2006-02-22 10:09 ` [Devel] " Kir Kolyshkin
2006-02-22 15:26 ` Eric W. Biederman
2006-02-23 12:02 ` Kir Kolyshkin
2006-02-23 13:25 ` Eric W. Biederman
2006-02-23 14:00 ` Kir Kolyshkin
2006-02-24 21:44 ` Eric W. Biederman
2006-02-24 23:01 ` Herbert Poetzl
2006-02-27 17:42 ` Dave Hansen
2006-02-27 21:14 ` Eric W. Biederman
2006-02-27 21:35 ` Dave Hansen
2006-02-27 21:56 ` Eric W. Biederman
2006-03-04 3:17 ` sysctls inside containers Dave Hansen
2006-03-04 10:27 ` Eric W. Biederman
2006-03-06 16:27 ` Dave Hansen
2006-03-06 17:08 ` Herbert Poetzl
2006-03-06 17:18 ` Dave Hansen
2006-03-06 18:56 ` Eric W. Biederman
2006-03-10 10:17 ` Kirill Korotaev [this message]
2006-03-10 13:22 ` Eric W. Biederman
2006-03-10 10:19 ` Kirill Korotaev
2006-03-10 11:55 ` Eric W. Biederman
2006-03-10 18:58 ` Dave Hansen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4411524B.1000707@openvz.org \
--to=dev@openvz.org \
--cc=clg@fr.ibm.com \
--cc=ebiederm@xmission.com \
--cc=frankeh@watson.ibm.com \
--cc=haveblue@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serue@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox