User: Password:
|
|
Subscribe / Log in / New account

The issues for agreeing on a virtualization/namespaces implementation.

From:  ebiederm-AT-xmission.com (Eric W. Biederman)
To:  Hubertus Franke <frankeh-AT-watson.ibm.com>
Subject:  The issues for agreeing on a virtualization/namespaces implementation.
Date:  Tue, 07 Feb 2006 15:06:51 -0700
Cc:  "Serge E. Hallyn" <serue-AT-us.ibm.com>, Sam Vilain <sam-AT-vilain.net>, Rik van Riel <riel-AT-redhat.com>, Kirill Korotaev <dev-AT-openvz.org>, Linus Torvalds <torvalds-AT-osdl.org>, Andrew Morton <akpm-AT-osdl.org>, linux-kernel-AT-vger.kernel.org, clg-AT-fr.ibm.com, haveblue-AT-us.ibm.com, greg-AT-kroah.com, alan-AT-lxorguk.ukuu.org.uk, arjan-AT-infradead.org, kuznet-AT-ms2.inr.ac.ru, saw-AT-sawoct.com, devel-AT-openvz.org, Dmitry Mishin <dim-AT-sw.ru>, Andi Kleen <ak-AT-suse.de>, Herbert Poetzl <herbert-AT-13thfloor.at>
Archive-link:  Article, Thread


I think I can boil the discussion down into some of the fundamental
questions that we are facing.

Currently everyone seems to agree that we need something like
my namespace concept that isolates multiple resources.

We need these for 
PIDS
UIDS
SYSVIPC
NETWORK
UTSNAME
FILESYSTEM
etc.

The questions seem to break down into:
1) Where do we put the references to the different namespaces?
   - Do we put the references in a struct container that we reference from struct task_struct?
   - Do we put the references directly in struct task_struct?

2) What is the syscall interface to create these namespaces?
   - Do we add clone flags?  
     (Plan 9 style)
   - Do we add a syscall (similar to setsid) per namespace?
     (Traditional unix style)?
   - Do we in addition add syscalls to manipulate containers generically?

   I don't think having a single system call to create a container and a new
   instance of each namespace is reasonable as that does not give us a
   path into the future when we create yet another namespace.

   If we have one syscall per each namespace why would we need a container
   structure?

3) How do we refer to namespaces and containers when we are not members?
   - Do we refer to them indirectly by processes or other objects that
     we can see and are members?
   - Do we assign some kind of unique id to the containers?
  

4) How do we implement each of these namespaces?
   Besides being maintainable are there other constraints?


5) How do we control the resource inside a namespace starting
   from a process that is outside of that namespace?
   - The filesystem mount namespace gave an interesting answer.
     So it is quite possible other namespaces will give
     equally interesting and surprising answers.


6) How do we do all of this efficiently without a noticeable impact on
   performance?
   - I have already heard concerns that I might be introducing cache
     line bounces and thus increasing tasklist_lock hold time.
     Which on big way systems can be a problem.

7) How do we allow a process inside a container to create containers
   for it's children?
   - In general this is trivial but there are a few ugly issues
     here.

I think these are the key questions of the conversation.


Personally so long as we get true namespaces, implemented in a
performant and maintainable way that a process from the inside can't
distinguish from what we have now I have no hard requirements.

   
Eric


(Log in to post comments)


Copyright © 2006, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds