Daniel Lezcano wrote:
>
> Yep, I changed my mind, I think Eric and HPA are right. devpts is a
> file system and not a namespace even if the result is the same. That
> makes sense to keep a global sysctl for the root container and handle
> security problem with user namespace and mount option.
>
No, it's more dramatic than that.
Namespaces are not resource allocation boundaries, even though in the
container use case you probably want both.
Furthermore, namespaces are relatively straightforward in comparison:
you generally either want to share a namespace or you don't. Resource
control policies are much more complex. In the general case you want to
be able to support a hierarchial cascade of policies; at the least you
want to have global and local limits.
Furthermore, there are a number of use cases for resource allocation
boundaries that do *not* involve namespaces.
-hpa
_______________________________________________
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
_______________________________________________
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel
