Serge Hallyn <serge@xxxxxxxxxx> writes: >>> That's what I said a few emails ago :) The device cgroup was meant as >>> a short-term workaround for lack of user (and device) namespaces. >> >> I am saying something stronger. The device cgroup doesn't seem to have >> a practical function now. > > "Now" is wrong. The user namespace is not complete and not yet usable for a > full system container. We still need the device control group. Dropping cap mknod, and not having any device nodes you can mount a filesystem with device nodes, plus mount namespace work to only allow you to have access to proper device nodes should work today. And I admit the user namespace as I have it coded in my tree does make this simpler. But I agree "Now" is too soon until we have actually demonstrated something else. Eric _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
