Hello,
On Sat, 2010-02-13 at 14:33 -0800, Matt Helsley wrote:
> On Sat, Feb 13, 2010 at 04:56:16PM -0500, Jean-Marc Pigeon wrote:
> > Hello,
> >
> > [...]
>
> Yes. namespace boundaries only coincide if userspace chooses to
> make them coincide. For example, the tasks in a network namespace
> do not necessarily all share the same mount namespace.
>
> > Does this means (simple example) someone change
> > iptable rules for one container that could change
> > another unrelated container behavior ?!...no way...
>
> Two "unrelated containers" would share the same iptables rules
> so long as they share a network namespace.
So ... logic means.... those two unrelated container
do not "own" the iptable rules.
But lets say, for fun, process within container 1
change rules (locking out ssh access), does it mean
now ssh connexion on container 2 locked out too...
If you say "container 0" which container 1 and 2
are include in, decided to lock ssh access, then
its OK.
Container 1 and 2 are still unrelated, right, but both
are related to container 0, and syslog report must
go to container 0.
(once again it is clean cut.)
[...]
> > > That part of the proposal is simple and makes alot of sense. The
> > > ramifcations of it on kernel code are not simple and often there's
> > > no clean way to do it.
> > Well, this trouble me somewhat....
> > 2.6.18-128.2.1.el5.028stab064.7 (just an example, I am using
> > day to day), is containerising iptables an other syslogs
> > nice way....,
>
> Er.. you have a 2.6.18 kernel "containerising iptables an other syslogs"?
> I didn't think iptables supported network namespaces until somewhat
> recently. Is this an openvz-patched kernel you're talking about?
Yep! release date 07-Nov-2009, and I am pretty sure
2.6.18-53.1.19.el5.028stab053.14 release date 21-May-2008
was doing it too...
Iptable logs are reported to VZ (I have an example
right in front of me)
Feb 13 14:42:13 host1 kernel: RJCT IN=venet0 OUT= MAC= SRC=X.X.X.X
DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58325 DF PROTO=TCP
SPT=37248 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0
When I said monthssss, I really mean it.
> Careful. "no clean way to do it" does not mean "can't be done".
Agreed....container network, seems to me, implemented
in far better way than on VZ, so it is possible to implement
good idea in clean way.
--
A bientôt
==========================================================================
Jean-Marc Pigeon Internet: jmp@xxxxxxx
SAFE Inc. Phone: (514) 493-4280
Fax: (514) 493-1946
Clement, 'a kiss solution' to get rid of SPAM (at last)
Clement' Home base <"http://www.clement.safe.ca";>
==========================================================================
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linux-foundation.org/mailman/listinfo/containers
