Controlling devices and device namespaces
Eric W. Biederman
ebiederm at xmission.com
Sun Sep 16 16:53:09 UTC 2012
Serge Hallyn <serge at hallyn.com> writes:
>>> That's what I said a few emails ago :) The device cgroup was meant as
>>> a short-term workaround for lack of user (and device) namespaces.
>>
>> I am saying something stronger. The device cgroup doesn't seem to have
>> a practical function now.
>
> "Now" is wrong. The user namespace is not complete and not yet usable for a
> full system container. We still need the device control group.
Dropping cap mknod, and not having any device nodes you can mount
a filesystem with device nodes, plus mount namespace work to only allow
you to have access to proper device nodes should work today. And I
admit the user namespace as I have it coded in my tree does make this
simpler.
But I agree "Now" is too soon until we have actually demonstrated
something else.
Eric
More information about the Containers
mailing list