From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Amir Goldstein <amir-3AfRa/s5aFdBDgjK7y7TUQ@public.gmane.org>
Cc: Linux Containers
<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
lxc-devel
<lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>
Subject: Re: RFC: Device Namespaces
Date: Sun, 08 Sep 2013 17:51:55 -0700 [thread overview]
Message-ID: <871u4yddg4.fsf@xmission.com> (raw)
In-Reply-To: <CAA2m6vexArJ+6jFbK80Amstk=LK30=XDNHdBHSswP=LgpSP-6A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org> (Amir Goldstein's message of "Sun, 8 Sep 2013 14:28:55 +0200")
Amir Goldstein <amir@cellrox.com> writes:
> On Fri, Sep 6, 2013 at 7:50 PM, Eric W. Biederman
> <ebiederm@xmission.com> wrote:
>
> Hi Eric,
>
> If we can get people to take a quick look at the code before LPC
> that could make the LPC discussions more effective.
> Even looking at one of the subsystem patches can give a basic
> idea of the work we have done:
> https://github.com/Cellrox/linux/commits/devns-goldfish-3.4
>
> I think you are talking about having wrappers around your devices
> so you
> can share. Which is not the quite same problem the rest of us
> have been
> thinking of when talking about a device namespace.
>
> We are interested in all problems related to virtualizated view of
> devices
> inside a container, so let our work so far be a starting point to
> discuss all of them.
>
> My first impression is that this is better solved with more
> appropriate
> abstractions in userspace or in the kernel.
As I read your code, you are solving the problem of one opener of a
device among a group of openers being able to access a device at a time.
Which leads to the question why can't the multiplexing happen in
userspace?
I think with your design it would not be possible to play a song in one
device namespace while doing work in the other. As a security model
that isn't wrong but as someone trying to get work done that could be a
real pain.
The more common concern is to have devices we can use all of the time.
There may be a need for a device namespace and multiplexing access to
hardware devices makes that clearer. So far nothing has risen to the
level of we actually need a device namespace to do X. Especially in an
erra of hotplug and dynamic device numbers.
It is arguable that you could do your kind of device multiplexing with a
fuse device in userspace that implements your desired policy.
And policy is where cell situtation seems to fall down because it hard
codes one specific policy into the kernel, and a policy most situations
don't find useful.
Eric
_______________________________________________
Containers mailing list
Containers@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/containers
next prev parent reply other threads:[~2013-09-09 0:51 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-22 17:43 RFC: Device Namespaces Oren Laadan
[not found] ` <CAA4jN2aw4zEW=UfKCyqaOvXnbiRb_J9srfCn4OXTFzc6vWBM4A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-08-22 18:21 ` Serge Hallyn
2013-08-26 10:11 ` Oren Laadan
[not found] ` <CAA4jN2YL7Lfu2+DW-i+MovFxWEhJfT4aBBKREU_vy7JX9TKGHA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-09-06 17:50 ` Eric W. Biederman
[not found] ` <8761udlu0d.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-09-08 12:28 ` Amir Goldstein
[not found] ` <CAA2m6vexArJ+6jFbK80Amstk=LK30=XDNHdBHSswP=LgpSP-6A-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-09-09 0:51 ` Eric W. Biederman [this message]
[not found] ` <871u4yddg4.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-09-10 7:09 ` Amir Goldstein
[not found] ` <CAA2m6vc_kWWGDWcdjk26N3YvTqZySLFxPQRjOD9_ypBOka2+GQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-09-25 11:05 ` Janne Karhunen
[not found] ` <CAE=NcrbyFFoMn2nfBA_=ZtwD=eGLvqK=L-U9MuGrtJFLZfZppw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-09-25 20:23 ` Eric W. Biederman
[not found] ` <87ioxo4pm5.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-09-25 21:17 ` [lxc-devel] " Jeremy Andrus
[not found] ` <AD5F7BD2-0166-46BD-AB14-463C0E88BC92-eQaUEPhvms7ENvBUuze7eA@public.gmane.org>
2013-09-25 21:47 ` Eric W. Biederman
[not found] ` <8738osr2ue.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-09-29 17:56 ` Amir Goldstein
2013-09-25 21:34 ` Eric W. Biederman
[not found] ` <87bo3gshz5.fsf_-_-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-09-26 5:33 ` Greg Kroah-Hartman
[not found] ` <20130926053320.GB3725-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2013-09-26 8:25 ` Janne Karhunen
[not found] ` <CAE=NcrbPXGWU8FUgwchXyL5HjXf+4AKbgUWGe1ZO=Xcq=iV-Lg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-09-26 13:56 ` Greg Kroah-Hartman
[not found] ` <20130926135604.GA16624-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2013-09-26 17:01 ` Janne Karhunen
[not found] ` <CAE=NcrY3xC1AF_GV2b1KsF7AwYZTuGBuKLS5yBUWoWcmKU4YBg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-09-26 17:07 ` Greg Kroah-Hartman
[not found] ` <20130926170757.GA9345-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2013-09-26 17:56 ` Janne Karhunen
2013-09-30 15:37 ` James Bottomley
[not found] ` <1380555439.2161.5.camel-sFMDBYUN5F8GjUHQrlYNx2Wm91YjaHnnhRte9Li2A+AAvxtiuMwx3w@public.gmane.org>
2013-09-30 16:11 ` Greg Kroah-Hartman
[not found] ` <20130930161117.GA26459-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2013-09-30 16:33 ` James Bottomley
2013-10-01 6:19 ` Janne Karhunen
[not found] ` <CAE=NcrYV2RiMV7PcwEjFGFRBrz9XdZGs86Wau2a+6xpYN2aEHA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-10-01 17:27 ` Andy Lutomirski
[not found] ` <CALCETrWWoHzuJcnfEUY+cFpOgT5gnG8U1cVbCW0_8V7Z_v6DJw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2013-10-01 17:53 ` Serge E. Hallyn
[not found] ` <20131001175345.GA4145-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2013-10-01 19:51 ` Eric W. Biederman
[not found] ` <87had0wz07.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2013-10-01 20:46 ` Serge Hallyn
2013-10-01 22:59 ` [lxc-devel] " Michael H. Warfield
2013-10-02 22:55 ` Eric W. Biederman
2013-10-01 20:57 ` Greg Kroah-Hartman
[not found] ` <20131001205718.GA17036-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2013-10-02 22:45 ` Eric W. Biederman
2013-10-01 22:19 ` Michael H. Warfield
2013-10-01 18:36 ` Janne Karhunen
2013-10-01 17:33 ` Greg Kroah-Hartman
[not found] ` <20131001173342.GA19267-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
2013-10-01 18:23 ` Janne Karhunen
2013-10-28 23:31 ` Andrey Wagin
2013-08-29 19:06 ` RFC: " Andy Lutomirski
[not found] ` <521F9BBE.2070505-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>
2013-09-03 19:35 ` [lxc-devel] " Stéphane Graber
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871u4yddg4.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=amir-3AfRa/s5aFdBDgjK7y7TUQ@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).