[lxc-users] lxc config device add
Serge E. Hallyn
serge at hallyn.com
Tue Apr 18 19:59:37 UTC 2017
I think it would be great if some of the people who are interested in
putting host devices into a container safely would get together to
discuss requirements for a sort of device multiplexor/forwarder. It
could probably be based on cuse (see https://superuser.com/questions/209884/where-are-programs-that-use-cuse-character-in-user-space
and https://github.com/stefanberger/swtpm for some example users)
and could provide virtualized devices which provides a filtered
view of the real device to several containers at the same time.
Perhaps as part of this a toolsuite could be developed that would
help in easily building a API filters/translators.
See also what Cellrox was trying to do https://lwn.net/Articles/564854/
It's still not clear to me what's the *right* way to containerize
device access, or that this is it. In particular, creating a new
device feels like much more a VM than a container thing. But it
seems like at least a safe way to do this, and might lead to
insights on a better way.
But for many devices, just chowning it and handing it over to a
container is just not safe, even if it's the best we can do
right now.
-serge
More information about the lxc-users
mailing list