[lxc-users] Virtualizing hardware for containers

Serge Hallyn serge.hallyn at ubuntu.com
Wed Jun 10 14:58:57 UTC 2015


might look into CUSE and BUSE
(http://bryanpendleton.blogspot.com/2011/02/fuse-cuse-and-uio.html
has links)

Quoting Brian Allen Vanderburg II (brianvanderburg2 at aim.com):
> I didn't know where to post this but I had an idea, most likely of
> little use but I thought I would put it out there.  Part of this idea is
> inspired by FUSE, which allows creating a user space filesystem but also
> takes care of basic security such as not allowing SUID.
> 
> I had an idea for a DUSE - Device driver in user space.  This would
> probably not work without some sort of kernel support as well.  Like
> FUSE, a DUSE application gets run by a normal user, and if that user is
> a member of the duse group, that user can create device files.  For
> security the device files can not be created under the host /dev, but
> could be created under a different location which would eventually
> become the container's /dev.  Any reads and writes to the device file,
> and IOCTL calls would be directed to the application.  The device file
> gets created as the launching user/group.
> 
> lxc-device simply make a device available within a container.  This a
> couple allow several potential features.  First, a DUSE application
> could be created to function as a filter before interacting in some way
> with the host.  A virtual device could be exposed to a container, but
> any interactions with that device from the container are monitored and
> only certain interactions may be allowed to pass through and interact
> with the host.  How this works would be device specific.  Second, a DUSE
> application could provide a device that doesn't actually exist, a
> virtual device.  Finally, such a feature might have use outside of
> containers as well.
> 
> To support this within a container, special configurations could be
> specified which would allow launching of the DUSE application as a
> specific user after any user namespaces are set up, but before the rest
> of the container is set up.  This would launch the application from the
> host filesystem before any mount point changes, but allow specifying
> which user,group the device file is owned as and what permissions are
> set on the device file.
> 
> 
> Brian Allen Vanderburg II
> 
> 



> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list