[Devel] Re: udev in containers

Serge E. Hallyn serge at hallyn.com
Fri Jan 28 12:46:52 PST 2011


Quoting Eric W. Biederman (ebiederm at xmission.com):
> "Serge E. Hallyn" <serge.hallyn at canonical.com> writes:
> 
> > Hi,
> >
> > Now that we are allowing udev to run in containers, Daniel has
> > noticed that updates to sysfs uevent files will trigger a flurry
> > of activity in all containers on the host.  While not a problem
> > with just a few containers, this can severaly impact performance
> > with hundreds or more containers.
> >
> > (Daniel, would it be possible for you to get some measurements
> > on host and in a container versus # of active containers, with
> > and without udev?  Do you have a otehrwise unused machien you
> > could try that on?)
> >
> > Is there anything we can/should do about this?
> >
> > Two approaches, neither sufficiently thought out yet, would be
> > to generalize the directory tagging currently used for
> > /sys/class/net, and full-fledged implementation of a device
> > namespace.
> >
> > The directory tagging would probably only work if we can assign
> > multiple tags to a device, but we could for instance make
> > /sys/block tagged, and really no container probably needs to see
> > /sys/block/sda.
> >
> > The device namespace would be similar, except I suspect it
> > would not only hide certain devices from certain namespaces,
> > but it would actually virtualize the device major:minor
> > mapping, for checkpoint/restart, so that /dev/sda could be
> > redirected to another device more completely than simply
> > fudging the nodes under /dev.
> >
> > Comments?  Designs?  Plans?
> 
> To answer you earlier question: What did I expect the device namespace
> to look like.
> 
> - Only purely virtual devices like  /dev/pts, /dev/null, /dev/nbd and /dev/loop0 present.
> - Fully virtualized major/minor look up preventing us from even talking
>   about devices in other namespaces.

What does an interface look like for hooking up /dev/sdc on the host
to 'b 8:0' in a container?

> - Support from the user/security namespace so that mknod and mount are safe.
> 
> I get a certain uncomfortable feeling about mknod and mount running free
> in a container without restrictions that make container without restrictions...

-serge
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list