On Wed, 2019-02-13 at 19:29 +0200, Leon Romanovsky wrote:
> Add netlink command that enables/disables sharing rdma device among
> multiple net namespaces.
>
> Using rdma tool,
> $rdma sys set netns shared (default mode)
>
> When rdma subsystem netns mode is set to shared mode, rdma devices
> will be accessible in all net namespaces.
>
> Using rdma tool,
> $rdma sys set netns exclusive
>
> When rdma subsystem netns mode is set to exclusive mode, devices
> will be accessible in only one net namespace at any given
> point of time.
> Any rdma resources created or in-use before netns mode set to
> exclusive, will remain in shared mode, in other words, changing
> netns mode to exclusive or shared has no effect on already
> open devices.
But what if we *want* it to disconnect running apps that are violating
namespace? Let's say for instance that a machine boots up with
namespace shared enabled (by accident, maybe it booted from an old
initrd image or something), and apps start leaking across namespaces
willy nilly, and the admin goes "Oh crap!" and wants to lock things
down?
I have a possible solution in mind that would enable this, but I need to
go read your other patchset to see if I'm way off base.
--
Doug Ledford <dledford@xxxxxxxxxx>
GPG KeyID: B826A3330E572FDD
Key fingerprint = AE6B 1BDA 122B 23B4 265B 1274 B826 A333 0E57 2FDD
Attachment:
signature.asc
Description: This is a digitally signed message part
