[Devel] Re: namespaces compatibility list

Pavel Emelyanov xemul at openvz.org
Wed Nov 7 01:29:04 PST 2007


Cedric Le Goater wrote:
> Pavel Emelyanov wrote:
>> Eric W. Biederman wrote:
>>> Cedric Le Goater <clg at fr.ibm.com> writes:
>>>> right. I think we can address Ulrich concerns first because we have 
>>>> a solution for it (which looks like unsharing all namespaces at once,
>>>> here comes back the container object story :)
>>> It doesn't work because we can't create a fresh mount namespace.
>>>
>>> We need to create all new mounts (and deny access to the old ones)
>>> if we want to prevent all possibility of user space goof ups.
>>>
>>> While that is easy enough to build an application to do we can't
>>> easily enforce that in the kernel.  Currently this is all
>>> CAP_SYS_ADMIN so only root can do this anyway.  So we can easily
>>> say don't do that then.
>>>
>>> Clone flag consistency checking should only be used to enforce
>>> cases where the kernel side cannot support correctly.  Currently
>>> the kernel has no problems with the current mix and match possibilities
>>> short of implementation deficiencies.  So I do not see us
>>> addressing Ulrich's concerns with clone flags.
>> ACK :) Since this all is CAP_SYS_ADMIN-ed we can do with just a warning.
> 
> Fine with me. 
> 
> Let's come back to the document, then.

:) Let's. Does anybody have any comments about the current text? :)

> C.
> 

_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list