On Fri, 2005-12-16 at 12:45 -0800, Gerrit Huizenga wrote:
> Interesting... So how to tasks get *into* a container?
Only by inheritance.
> And can they ever get back "out" of a container?
No. Think of the pids again. Even the "outside" of a container, things
like the real init, have to have unique pids. What if the process's pid
is the same as one in use in the default container?
> Are most processes on the system
> initially not in a container? And then they can be stuffed in a container?
> And then containers can be moved around or be isolated from each other?
The current idea is that processes are assigned at fork-time. The
isolation is for the lifetime of the process.
> And, is pid virtualization the point where this happens? Or is that
> a slightly higher level? In other words, is pid virtualization the
> full implementation of container isolation? Or is it a significant
> element on which additional policy, restrictions, and usage models
> can be built?
pid virtualization is simply the one that's easiest to understand, and
the one that demonstrates the largest number of issues. It is a small
piece of the puzzle, but an important one.
-- Dave
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
