There are various challenges when users start trying to manage SAN attachments from within a container, and how we deal with network namespaces. I think it would be worth a discussion around what can be agreed on as desired behavior, and what it means to attach block devices from a containerized environment. iSCSI has a number of issues here with the kernel to iscsid interfaces, netlink and sysfs, which are largely fixable without needing to break anything. But for kernel maintained network connections, there's an issue of interacting with namespace lifetimes without a process. NVMe/TCP has avoided complex user-space control planes, but when I checked subsystem connection occurred within the active namespace of nvme-cli, but afterwords all fabrics subsystems were visible, controllable, and disconnectable from any namespace. Lee Duncan had submitted a proposal to discuss this for iSCSI last year [1], partially based on some older work I did that never completed [2] (I need to update that code) [1] https://lore.kernel.org/linux-scsi/e9f0297a-a914-ba83-f706-5a2d508c666b@xxxxxxxx/ [2] https://github.com/cleech/linux/commits/iscsi-netns-old-wip - Chris Leech
