Quoting Rob Landley (rlandley@xxxxxxxxxxxxx): > On 01/07/2011 09:12 AM, Serge Hallyn wrote: > >> Changing ownership so a script can't open a file that it otherwise > >> could may cause scripts to fail when run in a container. Makes > >> the containers less transparent. > > > > While my goal next week is to make containers more transparent, the > > official stance from kernel summit a few years ago was: transparent > > containers are not a valid goal (as seen from kernel). > > Do you have a reference for that? I'm still coming up to speed on all this. Trying to collect documentation... Sorry, I don't offhand, and a quick google search wasn't helpful. I think it was from the very first containers discussion at ksummit, but not sure. There is http://lwn.net/Articles/191923/. Toward the bottom it claims that noone thought it would be a problem to tweak distros to run in containers without /sys and /proc. But this was 2006, when pid namespaces were still a new idea, and noone was actually using containers. It certainly is possible that sentiment has changed, which is why I do feel that it's worth it for someone to try some native containerization inside fs/proc/*.c. While user namespaces should make it possible to make fuse proc filtering less wishy-washy, they won't make it any less ugly :) -serge _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
