[PATCH 1/1] RFC: taking a crack at targeted capabilities

Eric W. Biederman ebiederm at xmission.com
Mon Feb 15 08:48:14 PST 2010


Matt Helsley <matthltc at us.ibm.com> writes:

>> > The other example of that idea was keeping a syslog_ns reference in
>> > the netns for the iptables printks in ipt_LOG.c. What happens when
>> > one of the CONFIG_*NS options isn't selected? Suddenly we're littering
>> > the struct definitions with #ifdefs and making the code alot more
>> > complicated to test (I suspect). Perhaps it's time to merge all
>> > the CONFIG_*NS options into CONFIG_NAMESPACES?

In general the plan has been to support disabling the creation of namespaces
but that is about it.  The disables are there to prevent sysadmins from
dealing with under-construction code, as in general we can not remove the code
without having lots of weird paths.

Distro's will enable these, and the incremental cost of having the enabled
is small, at least if they are built properly.  If the incremental cost
of enabling a namespace is not small we probably need to go back to the
drawing board because maintainability will be affected.

Eric


More information about the Containers mailing list