Serge Hallyn <se...@hallyn.com> writes: >>> That's what I said a few emails ago :) The device cgroup was meant as >>> a short-term workaround for lack of user (and device) namespaces. >> >> I am saying something stronger. The device cgroup doesn't seem to have >> a practical function now. > > "Now" is wrong. The user namespace is not complete and not yet usable for a > full system container. We still need the device control group.
Dropping cap mknod, and not having any device nodes you can mount a filesystem with device nodes, plus mount namespace work to only allow you to have access to proper device nodes should work today. And I admit the user namespace as I have it coded in my tree does make this simpler. But I agree "Now" is too soon until we have actually demonstrated something else. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
