| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <45D110A3.1010502@vilain.net> Date: Tue, 13 Feb 2007 14:13:07 +1300 From: Sam Vilain <sam@...ain.net> To: Paul Menage <menage@...gle.com> Cc: vatsa@...ibm.com, sekharan@...ibm.com, ckrm-tech@...ts.sourceforge.net, linux-kernel@...r.kernel.org, xemul@...ru, dev@...ru, rohitseth@...gle.com, pj@....com, ebiederm@...ssion.com, winget@...gle.com, containers@...ts.osdl.org, serue@...ibm.com Subject: Re: [ckrm-tech] [PATCH 0/7] containers (V7): Generic Process Containers Paul Menage wrote: >> Ask yourself this - what do you need the container structure for so >> badly, that virtualising the individual resources does not provide for? >> > Primarily, that otherwise every module that wants to affect/monitor > behaviour of a group of associated processes has to implement its own > process grouping abstraction. > Not every module, you just make them on sensible, planned groupings. The danger is that the "container" group becomes a fallback grouping for things when people can't be bothered thinking about it properly, and everything including the kitchen sink gets thrown in. Then later you find a real use case where you don't want them together, but it's too late because it's already a part of the official API. > As an example, the CPU accounting patch that in included in my patch > set as an illustration of a simple resource monitoring module is just > 250 lines, almost entirely in one file; if it also had to handle > associating tasks together into groups and presenting a filesystem > interface to the user it would be far larger and would have a much > bigger footprint on the kernel. > It's also less flexible. What if I want to do CPU accounting on some other boundaries than the "virtual server" a process is a part of? > From the point of view of the virtual server containers, the advantage > is that you're integrated with a standard filesystem interface for > determining group membership. It does become simpler to combine > virtual servers and resource controllers, although I grant you that > you could juggle that from userspace without the additional kernel > support. > I'm not disagreeing it's a pragmatic shortcut that has been successful for a number of projects including vserver which I use every day. But it reduces "synergy" by excluding the people working with virtualisation in ways that don't fit its model. Yes, there should be a similarity in the way that you manage namespaces and it should be easy to develop new namespaces without constantly re-inventing the wheel. But why does that imply making binding decisions about the nature of how you can virtualise? IMHO those decisions should be made on a per-subsystem basis. Sam. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists