16
edits
Changes
New page: Intros (8:36am) Dave Hansen Eric Biederman Jason Byron redhat Joe Rusio - evergreen Joe McDonald HP China Sonny Rao HP ...
Intros (8:36am)
Dave Hansen
Eric Biederman
Jason Byron redhat
Joe Rusio - evergreen
Joe McDonald
HP China
Sonny Rao
HP
HP
Matine Silberman HP
Sandy Harris
NEC Japan
John Schultz aol
Pavel E., Parallels
Denis L., Parallels
(?)
Benjamin
Daniel
Serge
On Phone:
Amy Griffith HP
(Later walk-ins)
Topics:
Why do various companies want containers?
ibm: workload management
EB: using containers as improved chroot
HP: wants similar to ibm, plus security
parallels: hosted providers
sysfs issues
EB gives status: should go into next merge window
mini-namespaces
NFS
clients should behave differently on diff. containers
currently uses single sunrpc transport for all containers
Dave: is there a list of all openvz mini-ns?
EB:
proposal:
create little filesystems
still store everything in nsproxy
currently:
some people want same process in different netns's
almost possible now, but can't open new sockets
namespace enter:
3 purposes
login
monitoring
configuring
may be worth prototyping the proposal
address mqns, or sunrpc, or fuse?
DH:
openvz addresses this using one big clone(), right?
(yes)
userid namespaces
EB summarizes his proposal
userid ns is unsharable without privilege
userids, capabilities, security labels become ns-local
hierarchical like pidns
openvz: just does chroot
DH:
observers that system vs. app containers have different requirements
EB:
so with userid namespaces, user has god-like powers over created namespaces
EB+SH will talk about hacking something this week during ols
Uses:
user unttrusted mounts
build systems
device namespaces
tty namespaces rejected
should be solved with generic device namespaces
virtualize the major:minor->device mapping
reserved device numbers (unnamed)
created with /proc?
get_unnamed_device()
tty ideas:
use selinux ptys
use user namespaces
use legacy ptys
leverage ptyfs
Suka is not on, so he gets volunteered to do pure /dev/pts fs approach
per-container LSMs:
SH: thinks LSMs should handle it
EB:
original purpose of chroot
set up policies from inside container
creating smack container inside selinux would be ideal
entering a container
netns: identified using pid of a ns
sh: can we solve this using EB's namespace filesystems proposal?
(EB goes to the board to demonstrate his proposal)
PM: Can we use control groups?
PE: Can we re-use /proc/pid/ ?
EB: could have a ns with no processes in it
Example of command using this:
ip set eth0 netns <pid>
becomes
ip set eth0 netns /proc/<pid>/
DL:
a real netns problem is knowing when a childns has died
the netnsfs mount could solve that
PE: EB, can you send POC patches for the namespace?
EB and EM will both send their own POC.
DL: people have complained about needing CAP_SYS_ADMIN to unshare ns
EB: example, setuid root sysvipc-using program could be fooled
PE: Entering a container:
Dave Hansen
Eric Biederman
Jason Byron redhat
Joe Rusio - evergreen
Joe McDonald
HP China
Sonny Rao
HP
HP
Matine Silberman HP
Sandy Harris
NEC Japan
John Schultz aol
Pavel E., Parallels
Denis L., Parallels
(?)
Benjamin
Daniel
Serge
On Phone:
Amy Griffith HP
(Later walk-ins)
Topics:
Why do various companies want containers?
ibm: workload management
EB: using containers as improved chroot
HP: wants similar to ibm, plus security
parallels: hosted providers
sysfs issues
EB gives status: should go into next merge window
mini-namespaces
NFS
clients should behave differently on diff. containers
currently uses single sunrpc transport for all containers
Dave: is there a list of all openvz mini-ns?
EB:
proposal:
create little filesystems
still store everything in nsproxy
currently:
some people want same process in different netns's
almost possible now, but can't open new sockets
namespace enter:
3 purposes
login
monitoring
configuring
may be worth prototyping the proposal
address mqns, or sunrpc, or fuse?
DH:
openvz addresses this using one big clone(), right?
(yes)
userid namespaces
EB summarizes his proposal
userid ns is unsharable without privilege
userids, capabilities, security labels become ns-local
hierarchical like pidns
openvz: just does chroot
DH:
observers that system vs. app containers have different requirements
EB:
so with userid namespaces, user has god-like powers over created namespaces
EB+SH will talk about hacking something this week during ols
Uses:
user unttrusted mounts
build systems
device namespaces
tty namespaces rejected
should be solved with generic device namespaces
virtualize the major:minor->device mapping
reserved device numbers (unnamed)
created with /proc?
get_unnamed_device()
tty ideas:
use selinux ptys
use user namespaces
use legacy ptys
leverage ptyfs
Suka is not on, so he gets volunteered to do pure /dev/pts fs approach
per-container LSMs:
SH: thinks LSMs should handle it
EB:
original purpose of chroot
set up policies from inside container
creating smack container inside selinux would be ideal
entering a container
netns: identified using pid of a ns
sh: can we solve this using EB's namespace filesystems proposal?
(EB goes to the board to demonstrate his proposal)
PM: Can we use control groups?
PE: Can we re-use /proc/pid/ ?
EB: could have a ns with no processes in it
Example of command using this:
ip set eth0 netns <pid>
becomes
ip set eth0 netns /proc/<pid>/
DL:
a real netns problem is knowing when a childns has died
the netnsfs mount could solve that
PE: EB, can you send POC patches for the namespace?
EB and EM will both send their own POC.
DL: people have complained about needing CAP_SYS_ADMIN to unshare ns
EB: example, setuid root sysvipc-using program could be fooled
PE: Entering a container: