Re: The issues for agreeing on a virtualization/namespaces implementation.

On Feb 07, 2006, at 17:06, Eric W. Biederman wrote:

I think I can boil the discussion down into some of the fundamentalquestions that we are facing.
Currently everyone seems to agree that we need something like mynamespace concept that isolates multiple resources.
We need these for
UIDS
FILESYSTEM

I have one suggestion for this (it also covers capabilities to acertain extent). Could we use the kernel credentials system toabstract away the concept of a single UID/GID? We currently haveuid, euid, gid, egid, groups, fsid. I'm thinking that there would bevirtualized UID tables to determine ownership of processes/SHM/etc.

Each process would have a (uid_container,uid) pair (or similar) asits "uid" and likewise for gid. Then the ability to send signals toany given (uid_container,uid) or (gid_container,gid) pair would begiven by keys in the kernel keyring indexed by the "uid_container"part and containing the "uid" part (or maybe just a pointer).

Likewise the filesystem access could be virtualized by using uid andgid keys in the kernel keyring indexed by vfsmount (Not superblock,so that it would be possible to have different UID representations ondifferent mounts/parts of the same filesystem).

I'm guessing that the performance implications of the above would notbe quite so nice, as it would put a lot of code in the fastpath, butI would guess that it might be possible to use the existing fieldsfor processes without any virtualization needs.


Cheers,
Kyle Moffett

--

There is no way to make Linux robust with unreliable memorysubsystems, sorry. It would be like trying to make a human morerobust with an unreliable O2 supply. Memory just has to work.

  -- Andi Kleen


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Follow-Ups:
- Re: The issues for agreeing on a virtualization/namespaces implementation.
  - From: [email protected] (Eric W. Biederman)

References:
- [PATCH 1/4] Virtualization/containers: introduction
  - From: Kirill Korotaev <[email protected]>
- Re: [PATCH 1/4] Virtualization/containers: introduction
  - From: [email protected] (Eric W. Biederman)
- Re: [PATCH 1/4] Virtualization/containers: introduction
  - From: Rik van Riel <[email protected]>
- Re: [PATCH 1/4] Virtualization/containers: introduction
  - From: Sam Vilain <[email protected]>
- Re: [PATCH 1/4] Virtualization/containers: introduction
  - From: Hubertus Franke <[email protected]>
- Re: [PATCH 1/4] Virtualization/containers: introduction
  - From: "Serge E. Hallyn" <[email protected]>
- Re: [PATCH 1/4] Virtualization/containers: introduction
  - From: Hubertus Franke <[email protected]>
- The issues for agreeing on a virtualization/namespaces implementation.
  - From: [email protected] (Eric W. Biederman)

Prev by Date: Re: [PATCH] percpu data: only iterate over possible CPUs
Next by Date: Re: sound problem on recent PowerBook5,8 MacRISC3
Previous by thread: Re: The issues for agreeing on a virtualization/namespaces implementation.
Next by thread: Re: The issues for agreeing on a virtualization/namespaces implementation.
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]