From mboxrd@z Thu Jan 1 00:00:00 1970 From: ebiederm@xmission.com (Eric W. Biederman) Subject: Re: strict isolation of net interfaces Date: Fri, 30 Jun 2006 11:41:59 -0600 Message-ID: References: <1151449973.24103.51.camel@localhost.localdomain> <20060627234210.GA1598@ms2.inr.ac.ru> <20060628133640.GB5088@MAIL.13thfloor.at> <1151502803.5203.101.camel@jzny2> <44A44124.5010602@vilain.net> <44A450D1.2030405@fr.ibm.com> <20060630023947.GA24726@sergelap.austin.ibm.com> <44A517B4.4010500@fr.ibm.com> <20060630161442.GA27210@sergelap.austin.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Daniel Lezcano , Cedric Le Goater , Sam Vilain , hadi@cyberus.ca, Herbert Poetzl , Alexey Kuznetsov , viro@ftp.linux.org.uk, devel@openvz.org, dev@sw.ru, Andrew Morton , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Andrey Savochkin , Ben Greear , Dave Hansen , Alexey Kuznetsov Return-path: Received: from ebiederm.dsl.xmission.com ([166.70.28.69]:60550 "EHLO ebiederm.dsl.xmission.com") by vger.kernel.org with ESMTP id S932899AbWF3Rnh (ORCPT ); Fri, 30 Jun 2006 13:43:37 -0400 To: "Serge E. Hallyn" In-Reply-To: <20060630161442.GA27210@sergelap.austin.ibm.com> (Serge E. Hallyn's message of "Fri, 30 Jun 2006 11:14:42 -0500") Sender: netdev-owner@vger.kernel.org List-Id: netdev.vger.kernel.org "Serge E. Hallyn" writes: > Quoting Eric W. Biederman (ebiederm@xmission.com): >> This whole debate on network devices show up in multiple network namespaces >> is just silly. The only reason for wanting that appears to be better > management. > > A damned good reason. Better management is a good reason. But constructing the management in a way that hampers the implementation and confuses existing applications is a problem. Things are much easier if namespaces are completely independent. Among other things the semantics are clear and obvious. > Clearly we want the parent namespace to be able > to control what the child can do. So whatever interface a child gets, > the parent should be able to somehow address. Simple iptables rules > controlling traffic between it's own netdevice and the one it hands it's > children seem a good option. That or we setup the child and then drop CAP_NET_ADMIN. >> We have deeper issues like can we do a reasonable implementation without a >> network device showing up in multiple namespaces. > > Isn't that the same issue? I guess I was thinking from the performance and cleanliness point of view. >> If we can get layer 2 level isolation working without measurable overhead >> with one namespace per device it may be worth revisiting things. Until >> then it is a side issue at best. > > Ok, and in the meantime we can all use the network part of the bsdjail > lsm? :) If necessary. But mostly we concentrate on the fundamentals and figure out what it takes to take the level 2 stuff working. Eric