Containers and /proc/sys/vm/drop_caches
serge.hallyn at canonical.com
Tue Jan 11 08:28:54 PST 2011
Quoting Rob Landley (rlandley at parallels.com):
> On 01/07/2011 09:12 AM, Serge Hallyn wrote:
> >> Changing ownership so a script can't open a file that it otherwise
> >> could may cause scripts to fail when run in a container. Makes
> >> the containers less transparent.
> > While my goal next week is to make containers more transparent, the
> > official stance from kernel summit a few years ago was: transparent
> > containers are not a valid goal (as seen from kernel).
> Do you have a reference for that? I'm still coming up to speed on all this. Trying to collect documentation...
Sorry, I don't offhand, and a quick google search wasn't helpful. I think
it was from the very first containers discussion at ksummit, but not sure.
There is http://lwn.net/Articles/191923/. Toward the bottom it claims that
noone thought it would be a problem to tweak distros to run in containers
without /sys and /proc.
But this was 2006, when pid namespaces were still a new idea, and noone
was actually using containers. It certainly is possible that sentiment
has changed, which is why I do feel that it's worth it for someone to
try some native containerization inside fs/proc/*.c. While user namespaces
should make it possible to make fuse proc filtering less wishy-washy, they
won't make it any less ugly :)
More information about the Containers