[lxc-devel] Device Namespaces
Michael J Coss
michael.coss at alcatel-lucent.com
Thu Sep 26 17:17:54 UTC 2013
As I mentioned in another part of this thread, my use case is deploying
"linux desktops" to users as containers. The goal is to have the
container run unmodified distros, and to be able to run arbitrary code.
A tall order to be sure, and maybe not realistic, but I'm in research so
its good to think big.
To that end, we would like the container to be manage as if it were a
"real" system. This includes udev. I realize that udev no longer
creates devices but uses devtmpfs, but the event notification needs to
be seen for other parts to the system, and for the rules that udev
actually does. In particular, X uses uevents to detect keyboard, mice
and display connections.
But when a new device is added, we need that information to go to only
the appropriate container. Currently, uevents are broadcasted to all
listeners in all network namespaces. I have a set of patches that
restrict the initial broadcast to only the host namespace. The second
part is a user space deamon that applies policy and forwards the message
to the container's udev. But rather than have to run a modified udev,
by allowing an interface for the host to inject a replay of the original
message to the container's udev, we achieve at least part of our goal.
This still leave devtmpfs, and while I do believe that there are user
space solutions, I think a virtualization of that is a better approach.
The policy needs to be driven by the host, but the view of the synthetic
filesystem should be managed by the kernel.
There are a number of other kernel filesystems that are equally
problematic, sysfs, proc, debugfs, etc. Is it really proposed that all
of these be handled in userspace?. We can get some safety by disallows
some mounts, and using readonly, but a unified policy would be nice.
My kernel patch is just to facility the communication to the container
of the appropriate uevents, and the daemon uses libudev to collect,
apply policy, and forward the appropriate events. And I'm working on a
solution for devtmpfs
---Michael J Coss
More information about the lxc-devel
mailing list