User: Password:
|
|
Subscribe / Log in / New account

Sysfs and namespaces

Sysfs and namespaces

Posted Aug 28, 2008 12:51 UTC (Thu) by danpb (subscriber, #4831)
In reply to: Sysfs and namespaces by liljencrantz
Parent article: Sysfs and namespaces

We are working on supporting this in libvirt's "LXC" driver (LinuX Containers). This driver uses the clone() syscall along with the new CLONE_NEW{PID,UTS,USER,NS,IPC,NET} flags to create a container that is isolated from the "host" operating system.

There are roughly two ways of using this capability

- Workload isolation for applications. The application shares the same root filesystem as the host, perhaps with a few extra mounts points and custom networking.

- Security isolation for applications. The application has a totally isolated private root filesystem, custom networking, etc - nothing is shared with the host OS.

As of 2.6.26, only the workload isolation use case is usable. Well, actually not quite true, we can do the private root filesystem too, but it is not secure because we're lacking some kernel capabilities still. For workload management we will be integrating with cgroups to control CPU/memory/etc limits

For the security isolation use case to be usable in real world, the sysfs namespace patch is one of the core missing pieces. The second is device namespace - so the nodes in /dev/ and /dev/pts inside the container are separated from those of the host OS. It is not clear what the timeframe on this latter capability is going to appear. If it appears before 2.6.29 i'd be surprised...


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds