Posted Sep 12, 2007 14:41 UTC (Wed) by ebiederm
Parent article: KS2007: Containers
When I claimed the current kernel infrastructure is more general then
vserver and OpenVZ what I meant is that we have to support the entire
kernel and everything it can do, and doing it with code that can pass
a code review by the kernel community. Ensuring that architecture and
subarchitecture will work, and that every weird kernel subsystem will work
appears to me to be more then the out of tree projects have tackled.
Doing this this with namespaces makes decomposes the problem so we can
have an incremental merge (simplifying things). It also makes things a
little harder as we have to handle all of the weird partial interactions.
The question asked of me is how long until we have in kernel support that
is equal to OpenVZ, or Solaris Zones. Getting there pretty much requires
us to get everything complete and will take a while.
If you only need a subset of that functionality (like a lot of projects)
we should have something interesting when the we get things like the pid
Having the additional resource management seems to be a big part of the
existing out of tree solutions because when you load the machine heavily
you have more contention between users. However for some uses like a
better chroot for rpm installs or an isolated set of process for
checkpoint restart you don't need additional resource management.
For global resources there are two approaches that a designer can choose
from. Namespaces where you allow two instances of the same global name to
exist in different namespaces. Pure isolation (which is almost
exclusively what vserver provides) which only allows you to see a subset
of the global names. If you are not supporting process migration they
are about the same. Without namespaces process migration is in trouble
because there is no guarantee that you can restore your global identifiers
and keep running.
What little I know of Solaris Zones is that they grew out of efforts to
improve chroot type solutions, and thus do primarily global resource
isolation and do not provide namespaces. The implication of that is that
Solaris Zones do not provide an easy path to container migration from one
machine to another. However everything is evolving and even if my
understanding was right at one time, Solaris may have changed since then.
As for the question of what are network namespaces. They are a way to
make it appear to user space as if you have multiple network stacks. Each
logical stack with it's own routing tables, firewall tables, network
devices and the works. Fundamentally they aren't to hard to implement but
they need a bit of work on how the network stack handles global data.
to post comments)