Michael Tokarev writes:
> [Replying to an oldish email...]
>
> On 12.10.2011 20:59, Kay Sievers wrote:
>> On Mon, Oct 10, 2011 at 23:41, Lennart Poettering
>> wrote:
>>> On Mon, 10.10.11 13:59, Eric W. Biederman (ebied...@xmission.com) wrote:
>>
- udev. All of the kernel interfaces for u
On 02.11.2011 03:51, Eric W. Biederman wrote:
[]
>> And having CAP_MKNOD in container may not be that bad either, while
>> cgroup device.permission is set correctly - some nodes may need to
>> be created still, even in an unprivileged containers. Who filters
>> out CAP_MKNOD during container start
[Replying to an oldish email...]
On 12.10.2011 20:59, Kay Sievers wrote:
> On Mon, Oct 10, 2011 at 23:41, Lennart Poettering
> wrote:
>> On Mon, 10.10.11 13:59, Eric W. Biederman (ebied...@xmission.com) wrote:
>
>>> - udev. All of the kernel interfaces for udev should be supported in
>>> cur
Ted Ts'o writes:
>> I am of course making it sound a million times easier than it's
>> actually likely to be, but I do think it's possible without too many
>> odd corner cases.
>
> It's not the corner cases, it's all of the different name spaces that
> different system administrators and their si
On 10/14/2011 11:04 AM, Eric W. Biederman wrote:
>
> I have found and merged a solution that allows us to name namespaces
> without needing a namespaces for namespaces.
>
Something based on UUIDs, perhaps?
UUIDs are kind of exactly this, after all... a single namespace designed
to be large and
On Wed, Oct 12, 2011 at 03:12:34PM -0400, Kyle Moffett wrote:
> Well, you're going to need to introduce a bunch of new xattrs to
> handle the namespacing anyways.
>
> As I understand it you can use RichACLs to grant all the same
> privileges as owner and group, so you can simply map the real
> nam
On Wed, Oct 12, 2011 at 02:25:04PM -0400, Kyle Moffett wrote:
> On Wed, Oct 12, 2011 at 13:57, J. Bruce Fields wrote:
> > On Tue, Oct 11, 2011 at 02:16:24PM -0700, Eric W. Biederman wrote:
> >> Where all of this winds up interesting in the field of oncoming kernel
> >> work is that uids are persis
On Wed, Oct 12, 2011 at 15:04, J. Bruce Fields wrote:
> On Wed, Oct 12, 2011 at 02:25:04PM -0400, Kyle Moffett wrote:
>> On Wed, Oct 12, 2011 at 13:57, J. Bruce Fields wrote:
>> > On Tue, Oct 11, 2011 at 02:16:24PM -0700, Eric W. Biederman wrote:
>> >> Where all of this winds up interesting in th
On Wed, Oct 12, 2011 at 13:57, J. Bruce Fields wrote:
> On Tue, Oct 11, 2011 at 02:16:24PM -0700, Eric W. Biederman wrote:
>> Where all of this winds up interesting in the field of oncoming kernel
>> work is that uids are persistent and are stored in file systems. So
>> once we have all of the pe
On Tue, Oct 11, 2011 at 02:16:24PM -0700, Eric W. Biederman wrote:
> It actually isn't much complexity and for the most part the code that
> I care about in that area is already merged. In principle all I care
> about are having the identiy checks go from:
> (uid1 == uid2) to ((user_ns1 == user_ns
On Mon, Oct 10, 2011 at 23:41, Lennart Poettering wrote:
> On Mon, 10.10.11 13:59, Eric W. Biederman (ebied...@xmission.com) wrote:
>> - udev. All of the kernel interfaces for udev should be supported in
>> current kernels. However I believe udev is useless because container
>> start drops
Quoting da...@lang.hm (da...@lang.hm):
> On Tue, 11 Oct 2011, Eric W. Biederman wrote:
>
> >da...@lang.hm writes:
> >
> >>On Tue, 11 Oct 2011, Eric W. Biederman wrote:
> >>
> >>>Theodore Tso writes:
> >>>
> On Oct 11, 2011, at 2:42 AM, Eric W. Biederman wrote:
>
> >>>I admit for a lot of
On Tue, 11 Oct 2011, Eric W. Biederman wrote:
> Theodore Tso writes:
>
>> On Oct 11, 2011, at 2:42 AM, Eric W. Biederman wrote:
>>
>>> I am totally in favor of not starting the entire world. But just
>>> like I find it convienient to loopback mount an iso image to see
>>> what is on a disk image
On Mon, 10 Oct 2011, Matt Helsley wrote:
> On Mon, Oct 10, 2011 at 09:32:01PM -0400, Ted Ts'o wrote:
>> On Mon, Oct 10, 2011 at 01:59:10PM -0700, Eric W. Biederman wrote:
>>> Lennart Poettering writes:
>>>
To make a standard distribution run nicely in a Linux container you
usually have
Theodore Tso writes:
> On Oct 11, 2011, at 2:42 AM, Eric W. Biederman wrote:
>
>> I am totally in favor of not starting the entire world. But just
>> like I find it convienient to loopback mount an iso image to see
>> what is on a disk image. It would be handy to be able to just
>> download a d
da...@lang.hm writes:
> On Tue, 11 Oct 2011, Eric W. Biederman wrote:
>
>> Theodore Tso writes:
>>
>>> On Oct 11, 2011, at 2:42 AM, Eric W. Biederman wrote:
>>>
I am totally in favor of not starting the entire world. But just
like I find it convienient to loopback mount an iso image to
On Tue, 11 Oct 2011, Eric W. Biederman wrote:
> da...@lang.hm writes:
>
>> On Tue, 11 Oct 2011, Eric W. Biederman wrote:
>>
>>> Theodore Tso writes:
>>>
On Oct 11, 2011, at 2:42 AM, Eric W. Biederman wrote:
>>> I admit for a lot of test cases that it makes sense not to use a full
>>> se
On Oct 11, 2011, at 2:42 AM, Eric W. Biederman wrote:
> I am totally in favor of not starting the entire world. But just
> like I find it convienient to loopback mount an iso image to see
> what is on a disk image. It would be handy to be able to just
> download a distro image and play with it,
Lennart Poettering writes:
> On Mon, 10.10.11 13:59, Eric W. Biederman (ebied...@xmission.com) wrote:
>
>> > Quite a few kernel subsystems are
>> > currently not virtualized, for example SELinux, VTs, most of sysfs, most
>> > of /proc/sys, audit, udev or file systems (by which I mean that for a
>
On Mon, Oct 10, 2011 at 01:59:10PM -0700, Eric W. Biederman wrote:
> Lennart Poettering writes:
>
> > To make a standard distribution run nicely in a Linux container you
> > usually have to make quite a number of modifications to it and disable
> > certain things from the boot process. Ideally ho
On Mon, 10.10.11 13:59, Eric W. Biederman (ebied...@xmission.com) wrote:
> > Quite a few kernel subsystems are
> > currently not virtualized, for example SELinux, VTs, most of sysfs, most
> > of /proc/sys, audit, udev or file systems (by which I mean that for a
> > container you probably don't wan
On Mon, Oct 10, 2011 at 07:05:30PM -0700, Matt Helsley wrote:
> Yes, it does detract from the unique advantages of using a container.
> However, I think the value here is not the effeciency of the initial
> system configuration but the fact that it gives users a better place to
> start.
>
> Right
Ted Ts'o writes:
> On Mon, Oct 10, 2011 at 07:05:30PM -0700, Matt Helsley wrote:
>> Yes, it does detract from the unique advantages of using a container.
>> However, I think the value here is not the effeciency of the initial
>> system configuration but the fact that it gives users a better place
Lennart Poettering writes:
> On Mon, 10.10.11 13:59, Eric W. Biederman (ebied...@xmission.com) wrote:
>> My list of things that still have work left to do looks like:
>> - cgroups. It is not safe to create a new hierarchies with groups
>> that are in existing hierarchies. So cgroups don't wo
On Mon, Oct 10, 2011 at 09:32:01PM -0400, Ted Ts'o wrote:
> On Mon, Oct 10, 2011 at 01:59:10PM -0700, Eric W. Biederman wrote:
> > Lennart Poettering writes:
> >
> > > To make a standard distribution run nicely in a Linux container you
> > > usually have to make quite a number of modifications to
25 matches
Mail list logo
