On Wed, Mar 14, 2018 at 10:22:03AM -0700, Mahesh Bandewar (महेश बंडेवार) wrote: > On Tue, Mar 13, 2018 at 8:39 PM, Alexei Starovoitov <a...@kernel.org> wrote: > > For our container management we've been using complicated and fragile setup > > consisting of LD_PRELOAD wrapper intercepting bind and connect calls from > > all containerized applications. > > The setup involves per-container IPs, policy, etc, so traditional > > network-only solutions that involve VRFs, netns, acls are not applicable. > You can keep the policies per cgroup but move the ip from cgroup to > net-ns and then none of these ebpf hacks are required since cgroup and > namespaces are orthogonal you can use cgroups in conjunction with > namespaces.
answered in reply to Eric. Pls follow up there if it's still not clear.
