LXC?
LXC?
Posted Nov 15, 2012 19:48 UTC (Thu) by glommer (guest, #15592)In reply to: LXC? by xxiao
Parent article: LCE: The failure of operating systems and how we can fix it
There are many things that mainline Linux lacks. One of them, is the kernel memory limitation described in the article, that allows the host to protect against abuse from potentially malicious containers. It is trivial for a container to fill the memory with non-reclaimable objects, so no one else can be serviced.
User namespaces are progressing rapidly, but they are not there yet. Eric Biederman is doing a great job with that, patches are flowing rapidly, but you still lack a fully isolated capability system.
The pseudo file-systems /proc and /sys will still leak a lot of information from the host.
Tools like "top" won't work, because it is impossible to grab per-group figures of cpu usage. And this is not an extensive list.
So if "production" for you rely on any of the above, then no, you can't run LXC. If otherwise, then sure, you can run LXC.
Besides that, a lot of the kernel features that LXC relies on, were contributed for the OpenVZ project. So it is not like we're trying to fork the kernel, and keep people on our branch forever. It's just a quite big amount of work, the trade offs are not always clear for upstream, etc - It is no difference than Android in essence.
The ultimate goal, as stated in the article, is to have all the kernel functionality in mainline, so people can use any userspace tool they want.
Cheers
Posted Nov 16, 2012 12:29 UTC (Fri)
by TRS-80 (guest, #1804)
[Link] (1 responses)
Posted Nov 22, 2012 15:12 UTC (Thu)
by mathstuf (subscriber, #69389)
[Link]
Having decent userspace tools is something else that's missing from the upstream kernel container implementation. The kernel has all these features now, but no coherent way of managing them nicely yet.
LXC?
LXC?