LWN.net Logo

Advertisement

Writers Wanted

Front, Kernel, Security, Distributions, Development. See your byline here on LWN.net.

Advertise here

Not logged in

Log in now

Create an account

Subscribe to LWN

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

openSUSE and the distribution of proprietary software

LPC: What's happening with webcams

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

KS2007: Containers

KS2007: Containers

Posted Sep 12, 2007 14:41 UTC (Wed) by ebiederm (subscriber, #35028)
Parent article: KS2007: Containers

When I claimed the current kernel infrastructure is more general then
vserver and OpenVZ what I meant is that we have to support the entire
kernel and everything it can do, and doing it with code that can pass
a code review by the kernel community. Ensuring that architecture and
subarchitecture will work, and that every weird kernel subsystem will work
appears to me to be more then the out of tree projects have tackled.

Doing this this with namespaces makes decomposes the problem so we can
have an incremental merge (simplifying things). It also makes things a
little harder as we have to handle all of the weird partial interactions.

The question asked of me is how long until we have in kernel support that
is equal to OpenVZ, or Solaris Zones. Getting there pretty much requires
us to get everything complete and will take a while.

If you only need a subset of that functionality (like a lot of projects)
we should have something interesting when the we get things like the pid
namespace merged.

Having the additional resource management seems to be a big part of the
existing out of tree solutions because when you load the machine heavily
you have more contention between users. However for some uses like a
better chroot for rpm installs or an isolated set of process for
checkpoint restart you don't need additional resource management.

For global resources there are two approaches that a designer can choose
from. Namespaces where you allow two instances of the same global name to
exist in different namespaces. Pure isolation (which is almost
exclusively what vserver provides) which only allows you to see a subset
of the global names. If you are not supporting process migration they
are about the same. Without namespaces process migration is in trouble
because there is no guarantee that you can restore your global identifiers
and keep running.

What little I know of Solaris Zones is that they grew out of efforts to
improve chroot type solutions, and thus do primarily global resource
isolation and do not provide namespaces. The implication of that is that
Solaris Zones do not provide an easy path to container migration from one
machine to another. However everything is evolving and even if my
understanding was right at one time, Solaris may have changed since then.

As for the question of what are network namespaces. They are a way to
make it appear to user space as if you have multiple network stacks. Each
logical stack with it's own routing tables, firewall tables, network
devices and the works. Fundamentally they aren't to hard to implement but
they need a bit of work on how the network stack handles global data.

Eric

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds