From: Kirill Korotaev <dev@sw.ru>
To: Jeff Garzik <jeff@garzik.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
yoshfuji@linux-ipv6.org, netdev@vger.kernel.org,
shemminger@linux-foundation.org, hadi@cyberus.ca,
David Miller <davem@davemloft.net>,
greearb@candelatech.com, containers@lists.osdl.org,
Andrew Morton <akpm@linux-foundation.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
kaber@trash.net
Subject: Re: [Devel] Re: [RFD] L2 Network namespace infrastructure
Date: Wed, 27 Jun 2007 19:38:35 +0400 [thread overview]
Message-ID: <4682847B.4080509@sw.ru> (raw)
In-Reply-To: <467DC8CC.3020002@garzik.org>
Jeff Garzik wrote:
> Eric W. Biederman wrote:
>
>>Jeff Garzik <jeff@garzik.org> writes:
>>
>>
>>>David Miller wrote:
>>>
>>>>I don't accept that we have to add another function argument
>>>>to a bunch of core routines just to support this crap,
>>>>especially since you give no way to turn it off and get
>>>>that function argument slot back.
>>>>
>>>>To be honest I think this form of virtualization is a complete
>>>>waste of time, even the openvz approach.
>>>>
>>>>We're protecting the kernel from itself, and that's an endless
>>>>uphill battle that you will never win. Let's do this kind of
>>>>stuff properly with a real minimal hypervisor, hopefully with
>>>>appropriate hardware level support and good virtualized device
>>>>interfaces, instead of this namespace stuff.
>>>
>>>Strongly seconded. This containerized virtualization approach just bloats up
>>>the kernel for something that is inherently fragile and IMO less secure --
>>>protecting the kernel from itself.
>>>
>>>Plenty of other virt approaches don't stir the code like this, while
>>>simultaneously providing fewer, more-clean entry points for the virtualization
>>>to occur.
>>
>>Wrong. I really don't want to get into a my virtualization approach is better
>>then yours. But this is flat out wrong.
>
>
>>99% of the changes I'm talking about introducing are just:
>>- variable
>>+ ptr->variable
>>
>>There are more pieces mostly with when we initialize those variables but
>>that is the essence of the change.
>
>
> You completely dodged the main objection. Which is OK if you are
> selling something to marketing departments, but not OK
It is a pure illusion that one kind of virtualization is better then the other one.
Look, maybe *hardware* virtualization and a small size of the hypervisor
make you feel safer, however you totally forget about all the emulation drivers etc.
which can have bugs and security implications as well and maybe triggerable
from inside VM.
> Containers introduce chroot-jail-like features that give one a false
> sense of security, while still requiring one to "poke holes" in the
> illusion to get hardware-specific tasks accomplished.
The concepts of users in any OS (and in Linux in particular) give people
a false sense of security as well!
I know a bunch of examples of how one user can crash/DoS/abuse another one
e.g. on RHEL5 or mainstream.
But no one have problems with that and no one thinks that multiuserness
is a step-backward or maybe someone does?!
Yes, there are always bugs and sometimes security implications,
but people leave fine with it when it is fixed.
> The capable/not-capable model (i.e. superuser / normal user) is _still_
> being secured locally, even after decades of work and whitepapers and
> audits.
> You are drinking Deep Kool-Aid if you think adding containers to the
> myriad kernel subsystems does anything besides increasing fragility, and
> decreasing security. You are securing in-kernel subsystems against
> other in-kernel subsystems. superuser/user model made that difficult
> enough... now containers add exponential audit complexity to that. Who
> is to say that a local root does not also pierce the container model?
containers do the only thing:
make sure that objects from one context are not visible to another one.
If containers are not used - everything returns to the case as it is now, i.e.
everything is global and globally visible and no auditing overhead at all.
So if you are not interested in containers - the code auditing
won't be noticably harder for you.
>>And as opposed to other virtualization approaches so far no one has been
>>able to measure the overhead. I suspect there will be a few more cache
>>line misses somewhere but they haven't shown up yet.
>>
>>If the only use was strong isolation which Dave complains about I would
>>concur that the namespace approach is inappropriate. However there are
>>a lot other uses.
>
>
> Sure there are uses. There are uses to putting the X server into the
> kernel, too. At some point complexity and featuritis has to take a back
> seat to basic sanity.
I agree about sanity, however I totally disagree about complexity
you talk about.
Bugs we face/fix in Linux kernel which are found with the help of
that kind of virtualization makes me believe that Linux kernel
only wins from it.
Thanks,
Kirill
next prev parent reply other threads:[~2007-06-27 15:42 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-22 19:39 [RFD] L2 Network namespace infrastructure Eric W. Biederman
2007-06-22 21:22 ` [PATCH] net: Basic network " Eric W. Biederman
2007-06-23 10:40 ` [RFD] L2 Network " Patrick McHardy
2007-06-23 15:20 ` Ben Greear
2007-06-23 17:26 ` Eric W. Biederman
2007-06-23 20:09 ` Ben Greear
2007-06-23 20:39 ` Eric W. Biederman
2007-06-23 20:44 ` Ben Greear
2007-06-23 17:26 ` Stephen Hemminger
2007-06-23 17:55 ` Eric W. Biederman
2007-06-23 20:03 ` Ben Greear
2007-06-27 14:41 ` [Devel] " Kirill Korotaev
2007-06-23 17:19 ` Eric W. Biederman
2007-06-23 18:00 ` Patrick McHardy
2007-06-23 19:08 ` Eric W. Biederman
2007-06-23 20:19 ` Carl-Daniel Hailfinger
2007-06-23 20:31 ` Eric W. Biederman
2007-06-23 20:57 ` David Miller
2007-06-23 21:22 ` Benny Amorsen
2007-06-24 5:39 ` David Miller
2007-06-23 21:41 ` Eric W. Biederman
2007-06-24 5:45 ` David Miller
2007-06-24 12:58 ` Eric W. Biederman
2007-06-25 2:39 ` David Miller
2007-06-26 15:32 ` Eric W. Biederman
2007-06-23 22:15 ` Jeff Garzik
2007-06-23 22:56 ` Eric W. Biederman
2007-06-24 1:28 ` Jeff Garzik
2007-06-25 15:23 ` Serge E. Hallyn
2007-06-27 15:38 ` Kirill Korotaev [this message]
2007-06-24 5:48 ` David Miller
2007-06-24 10:25 ` Benny Amorsen
2007-06-24 12:38 ` Eric W. Biederman
2007-06-25 15:11 ` Serge E. Hallyn
2007-06-28 14:53 ` Kirill Korotaev
2007-06-27 14:39 ` [Devel] " Kirill Korotaev
2007-06-27 14:45 ` Patrick McHardy
2007-06-27 14:56 ` Ben Greear
2007-06-28 13:12 ` Kirill Korotaev
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4682847B.4080509@sw.ru \
--to=dev@sw.ru \
--cc=akpm@linux-foundation.org \
--cc=containers@lists.osdl.org \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=greearb@candelatech.com \
--cc=hadi@cyberus.ca \
--cc=jeff@garzik.org \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=shemminger@linux-foundation.org \
--cc=torvalds@linux-foundation.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).