[lxc-users] Virtualizing hardware for containers
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Jun 10 14:58:57 UTC 2015
might look into CUSE and BUSE
(http://bryanpendleton.blogspot.com/2011/02/fuse-cuse-and-uio.html
has links)
Quoting Brian Allen Vanderburg II (brianvanderburg2 at aim.com):
> I didn't know where to post this but I had an idea, most likely of
> little use but I thought I would put it out there. Part of this idea is
> inspired by FUSE, which allows creating a user space filesystem but also
> takes care of basic security such as not allowing SUID.
>
> I had an idea for a DUSE - Device driver in user space. This would
> probably not work without some sort of kernel support as well. Like
> FUSE, a DUSE application gets run by a normal user, and if that user is
> a member of the duse group, that user can create device files. For
> security the device files can not be created under the host /dev, but
> could be created under a different location which would eventually
> become the container's /dev. Any reads and writes to the device file,
> and IOCTL calls would be directed to the application. The device file
> gets created as the launching user/group.
>
> lxc-device simply make a device available within a container. This a
> couple allow several potential features. First, a DUSE application
> could be created to function as a filter before interacting in some way
> with the host. A virtual device could be exposed to a container, but
> any interactions with that device from the container are monitored and
> only certain interactions may be allowed to pass through and interact
> with the host. How this works would be device specific. Second, a DUSE
> application could provide a device that doesn't actually exist, a
> virtual device. Finally, such a feature might have use outside of
> containers as well.
>
> To support this within a container, special configurations could be
> specified which would allow launching of the DUSE application as a
> specific user after any user namespaces are set up, but before the rest
> of the container is set up. This would launch the application from the
> host filesystem before any mount point changes, but allow specifying
> which user,group the device file is owned as and what permissions are
> set on the device file.
>
>
> Brian Allen Vanderburg II
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
More information about the lxc-users
mailing list