Dell - Internal Use - Confidential
Hi Folks,
I am just trying to wrap my head around zun's sandboxing and clear
containers. From what Hongbin told in Barcelona ( see the attached pic which
I scrapped from his video)
[cid:[email protected]]
current implementation in Zun is, Sandbox is the outer container and the real
user container is nested inside the sandbox. I am trying to figure out how
this is going to play out
when we have clear containers.
I envision the following scenarios:
1) Scenario 1: where the sandbox itself is a clear container and user will
nest another clear container inside the sandbox. This is like nested
virtualization.
But I am not sure how this is going to work since the nested containers won't
get VT-D cpu flags.
2) Scenario 2: the outer sandbox is just going to be a standard docker
container without vt-d and the inside container is going to be the real clear
container with vt-d. Now this
might work well but we might be losing the isolation features for the network
and storage which lies open in the sandbox. Wont this defeat the whole purpose
of using clear containers.
I am just wondering what is the thought process for this design inside zun. If
this is trivial and if I am missing something please shed some light :).
Thanks
Surya ( spn )
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: [email protected]?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
