> The next steps are (not necessarily in order): > > 1. allow rm -rf to kill all processes under a > ns_container - with the intent of killing all > processes in a virtual server > > 2. implement transitioning into a populated container, > with the effect of setting the task's nsproxy to > the one represented by the container. > > 3. define a file for each type of namespace in each could that file be a directory exposing some critical data from each namespace ? I would imagine the network devices for the net namespace and be able to interact with them (Daniel ?). the task list for the pid namespace, etc. > ns_container, with the i_op->symlink() defined to > allow creation of a new ns_container which references > only some of the namespace pointers of an existing > (child) container. All other namespaces will be > taken from the existing process. In this way it > is possible to enter just a network namespace of > some vserver. > 4. probably make containers mac-aware, that is add a > ->security pointer, and LSM hooks at appropriate > points so that, for instance, SELinux can control > vserver kill and enters. >