On Tue, 2017-01-17 at 02:00 -0500, Oleg Drokin wrote: > On Jan 16, 2017, at 3:58 PM, James Bottomley wrote: > > > On Mon, 2017-01-16 at 13:39 -0500, Oleg Drokin wrote: > > > On Jan 16, 2017, at 1:21 PM, James Bottomley wrote: > > > > > > > On Mon, 2017-01-16 at 13:02 -0500, Oleg Drokin wrote: > > > > > On Jan 16, 2017, at 12:32 PM, James Bottomley wrote: > > > > > > > > > > > On Sun, 2017-01-15 at 18:38 -0500, Oleg Drokin wrote: > > > > > > > A container support from filesystems is also very > > > > > > > relevant to us since Lustre is used more and more in > > > > > > > such settings. > > > > > > > > > > > > I've added the containers ML to the cc just in case. Can > > > > > > you add more colour to this, please? What container > > > > > > support for filesystems do you think we need beyond the > > > > > > user namespace in the superblock? > > > > > > > > > > Namespace access is necessary, we might need it before the > > > > > superblock is there too (say during mount we might need > > > > > kerberos credentials fetched to properly authenticate this > > > > > mount instance to the server). > > > > > > > > The superblock namespace is mostly for uid/gid changes across > > > > the kernel <-> filesystem boundary. > > > > > > That's on the kernel<->filesystem, but inside of the FS there > > > might be other considerations that you might want to attach > > > there. Say when you are encrypting the traffic to the server you > > > want to use the right keys. > > > > So this is the keyring namespace? It was mentioned at KS, but, as > > far as I can tell, not discussed in the Containers MC that > > followed, so I've no idea what the status is. > > Could be keyring or other mechanisms. OK, you need to agree on the mechanism first, then we can discuss if it needs OS virtualization. A large number of mechanisms in the kernel actually don't (because the current OS protections are strong enough) like file descriptors. After you understand the mechanism there are usually four main ways to do OS virtualization: 1. Do nothing becuase the object doesn't need it (fd) 2. Label Namespace because it needs isolation (network) 3. add to user namespace because you need privileged access (setns call) 4. add to cgroup because the resource needs to be accounted (mem) But before we get into that we need to know the properties of the mechanism. James -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html