There are roughly two ways of using this capability
- Workload isolation for applications. The application shares the same root filesystem as the host, perhaps with a few extra mounts points and custom networking.
- Security isolation for applications. The application has a totally isolated private root filesystem, custom networking, etc - nothing is shared with the host OS.
As of 2.6.26, only the workload isolation use case is usable. Well, actually not quite true, we can do the private root filesystem too, but it is not secure because we're lacking some kernel capabilities still. For workload management we will be integrating with cgroups to control CPU/memory/etc limits
For the security isolation use case to be usable in real world, the sysfs namespace patch is one of the core missing pieces. The second is device namespace - so the nodes in /dev/ and /dev/pts inside the container are separated from those of the host OS. It is not clear what the timeframe on this latter capability is going to appear. If it appears before 2.6.29 i'd be surprised...
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds