From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <netdev-owner@vger.kernel.org>
Received: from ganesha.gnumonks.org ([213.95.27.120]:35818 "EHLO
        ganesha.gnumonks.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1753173AbeBSRkG (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 19 Feb 2018 12:40:06 -0500
Date: Mon, 19 Feb 2018 18:32:56 +0100
From: Harald Welte <laforge@gnumonks.org>
To: David Miller <davem@davemloft.net>
Cc: fw@strlen.de, daniel@iogearbox.net, netdev@vger.kernel.org,
        netfilter-devel@vger.kernel.org, alexei.starovoitov@gmail.com
Subject: Re: [PATCH RFC 0/4] net: add bpfilter
Message-ID: <20180219173256.GK5490@nataraja>
References: <20180219145935.GE6333@breakpoint.cc>
 <20180219.101335.8419642951000951.davem@davemloft.net>
 <20180219152746.GH5490@nataraja>
 <20180219.103139.2230101523652161323.davem@davemloft.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180219.103139.2230101523652161323.davem@davemloft.net>
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

Hi David,

On Mon, Feb 19, 2018 at 10:31:39AM -0500, David Miller wrote:
> > Why is it practical to replace your kernel but not practical to replace
> > a small userspace tool running on top of it?
> 
> The container is just userspace components.  Those are really baked in
> and are never changing.

never until you have to apply a bug fix for any of the many components you bake
into it.  I am doing this on an (at least) weekly basis for my Docker containers.
That's no different from a classic Linux distribution where you update your apt/rpm
packages all the time.

A container that is static and cannot continuously updated with new versions
for security (and other) fixes is broken by design.  If some people are doing
this, they IMHO have no sense of IT security, and such usage pattersn are not
what kernel development should cite as primary use case (again IMHO).

> This is how cloud hosting environments work.

Yes, *one* particular use case.  By far not every use case of Linux, or
Linux packet filtering.

-- 
- Harald Welte <laforge@gnumonks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)