As I mentioned in another part of this thread, my use case is deploying "linux desktops" to users as containers. The goal is to have the container run unmodified distros, and to be able to run arbitrary code. A tall order to be sure, and maybe not realistic, but I'm in research so its good to think big.
To that end, we would like the container to be manage as if it were a "real" system. This includes udev. I realize that udev no longer creates devices but uses devtmpfs, but the event notification needs to be seen for other parts to the system, and for the rules that udev actually does. In particular, X uses uevents to detect keyboard, mice and display connections. But when a new device is added, we need that information to go to only the appropriate container. Currently, uevents are broadcasted to all listeners in all network namespaces. I have a set of patches that restrict the initial broadcast to only the host namespace. The second part is a user space deamon that applies policy and forwards the message to the container's udev. But rather than have to run a modified udev, by allowing an interface for the host to inject a replay of the original message to the container's udev, we achieve at least part of our goal. This still leave devtmpfs, and while I do believe that there are user space solutions, I think a virtualization of that is a better approach. The policy needs to be driven by the host, but the view of the synthetic filesystem should be managed by the kernel. There are a number of other kernel filesystems that are equally problematic, sysfs, proc, debugfs, etc. Is it really proposed that all of these be handled in userspace?. We can get some safety by disallows some mounts, and using readonly, but a unified policy would be nice. My kernel patch is just to facility the communication to the container of the appropriate uevents, and the daemon uses libudev to collect, apply policy, and forward the appropriate events. And I'm working on a solution for devtmpfs ---Michael J Coss ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
