[PATCH] containers: define a namespace container subsystem

Cedric Le Goater clg at fr.ibm.com
Fri Feb 2 08:19:52 PST 2007


> The next steps are (not necessarily in order):
> 
> 	1. allow rm -rf to kill all processes under a
> 	   ns_container - with the intent of killing all
> 	   processes in a virtual server
> 
> 	2. implement transitioning into a populated container,
> 	   with the effect of setting the task's nsproxy to
> 	   the one represented by the container.
> 
> 	3. define a file for each type of namespace in each

could that file be a directory exposing some critical data
from each namespace ? 

I would imagine the network devices for the net namespace 
and be able to interact with them (Daniel ?). the task list
for the pid namespace, etc.  

> 	   ns_container, with the i_op->symlink() defined to
> 	   allow creation of a new ns_container which references
> 	   only some of the namespace pointers of an existing
> 	   (child) container.  All other namespaces will be
> 	   taken from the existing process.  In this way it
> 	   is possible to enter just a network namespace of
> 	   some vserver.
> 	4. probably make containers mac-aware, that is add a
> 	   ->security pointer, and LSM hooks at appropriate
> 	   points so that, for instance, SELinux can control
> 	   vserver kill and enters.
> 



More information about the Containers mailing list