Re: [Lsf-pc] [LSF/MM ATTEND] FS jitter testing, network caching, Lustre, cluster filesystems.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2017-01-17 at 02:00 -0500, Oleg Drokin wrote:
> On Jan 16, 2017, at 3:58 PM, James Bottomley wrote:
> 
> > On Mon, 2017-01-16 at 13:39 -0500, Oleg Drokin wrote:
> > > On Jan 16, 2017, at 1:21 PM, James Bottomley wrote:
> > > 
> > > > On Mon, 2017-01-16 at 13:02 -0500, Oleg Drokin wrote:
> > > > > On Jan 16, 2017, at 12:32 PM, James Bottomley wrote:
> > > > > 
> > > > > > On Sun, 2017-01-15 at 18:38 -0500, Oleg Drokin wrote:
> > > > > > > A container support from filesystems is also very 
> > > > > > > relevant to us since Lustre    is used more and more in 
> > > > > > > such settings.
> > > > > > 
> > > > > > I've added the containers ML to the cc just in case.  Can 
> > > > > > you add more colour to this, please?  What container 
> > > > > > support for filesystems do you think we need beyond the 
> > > > > > user namespace in the superblock?
> > > > > 
> > > > > Namespace access is necessary, we might need it before the 
> > > > > superblock is there too (say during mount we might need 
> > > > > kerberos credentials fetched to properly authenticate this 
> > > > > mount instance to the server).
> > > > 
> > > > The superblock namespace is mostly for uid/gid changes across 
> > > > the kernel <-> filesystem boundary.
> > > 
> > > That's on the kernel<->filesystem, but inside of the FS there 
> > > might be other considerations that you might want to attach 
> > > there. Say when you are encrypting the traffic to the server you 
> > > want to use the right keys.
> > 
> > So this is the keyring namespace?  It was mentioned at KS, but, as 
> > far as I can tell, not discussed in the Containers MC that 
> > followed, so I've no idea what the status is.
> 
> Could be keyring or other mechanisms.

OK, you need to agree on the mechanism first, then we can discuss if it
needs OS virtualization.  A large number of mechanisms in the kernel
actually don't (because the current OS protections are strong enough)
like file descriptors.  After you understand the mechanism there are
usually four main ways to do OS virtualization:

   1. Do nothing becuase the object doesn't need it (fd)
   2. Label Namespace because it needs isolation (network)
   3. add to user namespace because you need privileged access (setns
      call)
   4. add to cgroup because the resource needs to be accounted (mem)

But before we get into that we need to know the properties of the
mechanism.

James

--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux