https://wiki.openvz.org/api.php?action=feedcontributions&feedformat=atom&user=DhavalOpenVZ Virtuozzo Containers Wiki - User contributions [en]2026-06-10T00:59:07ZUser contributionsMediaWiki 1.31.1https://wiki.openvz.org/index.php?title=Containers/Mini-summit_2008_notes&diff=6229Containers/Mini-summit 2008 notes2008-07-22T15:08:26Z<p>Dhaval: </p>
<hr />
<div>[[Category: Containers]]<br />
<br />
Intros (8:36am)<br />
<br />
Dave Hansen<br />
Eric Biederman<br />
Jason Byron, Red Hat<br />
Joe Rusio, Evergreen<br />
Joe McDonald<br />
HP China<br />
Sonny Rao<br />
HP<br />
HP<br />
Matine Silberman HP<br />
Sandy Harris<br />
NEC Japan<br />
John Schultz, AOL<br />
Pavel Emelyanov, Parallels/OpenVZ<br />
Denis Lunev, Parallels/OpenVZ<br />
Constant Chan<br />
Benjamin Thery, Bull<br />
Daniel Lezcano, IBM<br />
Serge Hallyn, IBM<br />
<br />
On Phone:<br />
Amy Griffith HP<br />
Dhaval Giani, IBM<br />
<br />
(Later walk-ins)<br />
<br />
Topics:<br />
<br />
Why do various companies want containers?<br />
ibm: workload management<br />
EB: using containers as improved chroot<br />
HP: wants similar to ibm, plus security<br />
parallels: hosted providers<br />
<br />
sysfs issues<br />
EB gives status: should go into next merge window<br />
<br />
mini-namespaces<br />
NFS<br />
clients should behave differently on diff. containers<br />
currently uses single sunrpc transport for all containers<br />
Dave: is there a list of all openvz mini-ns?<br />
EB:<br />
proposal:<br />
create little filesystems<br />
still store everything in nsproxy<br />
currently:<br />
some people want same process in different netns's<br />
almost possible now, but can't open new sockets<br />
namespace enter:<br />
3 purposes<br />
login<br />
monitoring<br />
configuring<br />
may be worth prototyping the proposal<br />
address mqns, or sunrpc, or fuse?<br />
DH:<br />
openvz addresses this using one big clone(), right?<br />
(yes)<br />
<br />
userid namespaces<br />
EB summarizes his proposal<br />
userid ns is unsharable without privilege<br />
userids, capabilities, security labels become ns-local<br />
hierarchical like pidns<br />
openvz: just does chroot<br />
DH:<br />
observers that system vs. app containers have different requirements<br />
EB:<br />
so with userid namespaces, user has god-like powers over created namespaces<br />
EB+SH will talk about hacking something this week during ols<br />
Uses:<br />
user unttrusted mounts<br />
build systems<br />
<br />
device namespaces<br />
tty namespaces rejected<br />
should be solved with generic device namespaces<br />
virtualize the major:minor->device mapping<br />
reserved device numbers (unnamed)<br />
created with /proc?<br />
get_unnamed_device()<br />
tty ideas:<br />
use selinux ptys<br />
use user namespaces<br />
use legacy ptys<br />
leverage ptyfs<br />
Suka is not on, so he gets volunteered to do pure /dev/pts fs approach<br />
<br />
per-container LSMs:<br />
SH: thinks LSMs should handle it<br />
EB:<br />
original purpose of chroot<br />
set up policies from inside container<br />
creating smack container inside selinux would be ideal<br />
<br />
entering a container<br />
netns: identified using pid of a ns<br />
sh: can we solve this using EB's namespace filesystems proposal?<br />
(EB goes to the board to demonstrate his proposal)<br />
PM: Can we use control groups?<br />
PE: Can we re-use /proc/pid/ ?<br />
EB: could have a ns with no processes in it<br />
Example of command using this:<br />
ip set eth0 netns <pid><br />
becomes<br />
ip set eth0 netns /proc/<pid>/<br />
DL:<br />
a real netns problem is knowing when a childns has died<br />
the netnsfs mount could solve that<br />
PE: EB, can you send POC patches for the namespace?<br />
EB and EM will both send their own POC.<br />
<br />
DL: people have complained about needing CAP_SYS_ADMIN to unshare ns<br />
EB: example, setuid root sysvipc-using program could be fooled<br />
<br />
PE: Entering a container:<br />
reasons:<br />
monitoring<br />
enter an administrative command<br />
DH: how do you do it now?<br />
PE: numerical ID for each VE, use it to enter<br />
EB:<br />
one need for entering: /sbin/hotplug<br />
(someone): does hijack suffice?<br />
EB: two cases:<br />
partial entering<br />
full entering<br />
sys_hijack does not address partial entering<br />
DH:<br />
why need partial entering?<br />
fs stuff can be done without entering<br />
PM: privileged process<br />
PE:<br />
will look at hijack patches<br />
someone will re-send hijack to containers@<br />
EB:<br />
if we can do sys_hijack cleanly,<br />
we can use it to solve kthread problem</div>Dhavalhttps://wiki.openvz.org/index.php?title=Containers/Mini-summit_2008&diff=4110Containers/Mini-summit 20082008-01-31T08:17:53Z<p>Dhaval: /* List of attendees */</p>
<hr />
<div>There are plans to organize a containers mini-summit at the OLS'08. This page is for organizing this mini-summit. Feel free to edit.<br />
<br />
'''When''': before 23rd of July 2008 (on a day before the OLS itself)<br/><br />
'''Where''': Ottawa, ON, Canada.<br />
<br />
== Proposal ==<br />
<br />
A mini-summit proposal to be sent to OLS organizers. See [[{{PAGENAME}}/Proposal]].<br />
<br />
== Topics to discuss ==<br />
<br />
* Device accessibility cgroup (maybe with remap ability)<br />
* TTYs<br />
* Syslog<br />
* Checkpoint/restart<br />
* Memory controllers<br />
* more?..<br />
<br />
== List of attendees ==<br />
Please fill in your name here if you are going to attend, or email kir at openvz dot org if you are too lazy. Surely the list is not final, so put your name even if you are not sure you can make it.<br />
<br />
This list is in no particular order.<br />
<br />
<!-- Put this in three columns if browser is smart enough --><br />
<div style="-moz-column-count:3; -webkit-column-count:3; column-count:3; text-align: left; background: #fefef0; border: 1px solid #ddddc0;"><br />
# Kir Kolyshkin<br />
# Pavel Emelyanov<br />
# Denis Lunev<br />
# Andrey Mirkin<br />
# Serge Hallyn<br />
# Dave Hansen<br />
# Cedric Le Goater<br />
# Daniel Lezcano<br />
# Srivatsa Vaddagiri<br />
# Balbir Singh<br />
# Sukadev Bhattiprolu<br />
# Paul Menage<br />
# Eric W. Biederman<br />
# Oren Laadan<br />
# Yamamoto Takashi<br />
# Kamezawa Hiroyuki<br />
# Benjamin Thery<br />
# Herbert Pötzl<br />
# Oleg Nesterov<br />
# Dhaval Giani<br />
</div><br />
<br />
== Agenda ==<br />
<br />
TODO<br />
<br />
== See also ==<br />
* http://www.linuxsymposium.org/2008/cfp.php — OLS call for papers<br />
* https://lists.linux-foundation.org/pipermail/containers/2008-January/009688.html<br />
<br />
[[Category: Containers]]<br />
[[Category: Events]]</div>Dhaval