[PATCH 1/1] Syslog are now containerized

Jean-Marc Pigeon jmp at safe.ca
Sat Feb 13 13:56:16 PST 2010


Hello,

[...]
> Tracking all of these accesses down and ensuring they are only done
> from "its container context" is difficult or impossible. It's not as
> easy as you seem to think. In some cases the same resource could be
> shared between containers. Which should we access it from then?

	How come?! ressources (a device, Iptable rules,...)
	containerized within one container could be shared by 
	another unrelated container?.

	Does this means (simple example) someone change
	iptable rules for one container that could change 
	another unrelated container behavior ?!...no way...
	This only case is a sub-container (a container
	within a container), but in such case we are 
	are in the HOST: versus CONT: situation. Device
	will be controlled by CONT: even is used by SUBCONT:
	All depends where the device is defined (where
	is the definition responsability?, that the question
	to assign syslog..., usage is another story).

> 
> > 	Keep in mind, A fully containerized system can be managed
> > 	by someone with full privilege BUT NOT in charge of 
> > 	the host itself (IE: without host access).
> 
> Sure. (We're not there yet but I think we'd like to get
> there eventually.)
> 
> > 	My proposal is a clear cut, if a ressource is containerized 
> > 	report to CONT: (containerized) syslog... no question ask.
> 
> That part of the proposal is simple and makes alot of sense. The
> ramifcations of it on kernel code are not simple and often there's
> no clean way to do it.
	Well, this trouble me somewhat....
	2.6.18-128.2.1.el5.028stab064.7 (just an example, I am using
	day to day), is containerising iptables an other syslogs 
	nice way....,
	We are now 2.6.33 you are telling me what was experimented,
	learned, monthssss ago can't still be implemented 
	in current kernel main stream?.... 


-- 
A bientôt
==========================================================================
Jean-Marc Pigeon                                   Internet: jmp at safe.ca
SAFE Inc.                                          Phone: (514) 493-4280
                                                   Fax:   (514) 493-1946
        Clement, 'a kiss solution' to get rid of SPAM (at last)
           Clement' Home base <"http://www.clement.safe.ca">
==========================================================================



More information about the Containers mailing list