Re: [libvirt] kernel summit topic - 'containers end-game'
Serge E. Hallyn wrote: Quoting Balbir Singh (bal...@linux.vnet.ibm.com): On Tue, Jun 23, 2009 at 8:26 PM, Serge E. Hallynse...@us.ibm.com wrote: A topic on ksummit agenda is 'containers end-game and how do we get there'. So for starters, looking just at application (and system) containers, what do the libvirt and liblxc projects want to see in kernel support that is currently missing? Are there specific things that should be done soon to make containers more useful and usable? More generally, the topic raises the question... what 'end-games' are there? A few I can think of off-hand include: 1. resource control We intend to hold a io-controller minisummit before KS, we should have updates on that front. We also need to discuss CPU hard limits and Memory soft limits. We need control for memory large page, mlock, OOM notification support, shared page accounting, etc. Eventually on the libvirt front, we want to isolate cgroup and lxc support into individual components (long term) Thanks, Balbir. By the last sentence, are you talking about having cgroup in its own libcgroup, or do you mean something else? On the topic of cgroups, does anyone not agree that we should try to get rid of the ns cgroup, at least once user namespaces can prevent root in a container from escaping their cgroup? I agree if there is a compatibility flag to clone the parent when creating a new cgroup, as suggested Paul. Thanks -- Daniel -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] kernel summit topic - 'containers end-game'
Quoting Balbir Singh (bal...@linux.vnet.ibm.com): On Tue, Jun 23, 2009 at 8:26 PM, Serge E. Hallynse...@us.ibm.com wrote: A topic on ksummit agenda is 'containers end-game and how do we get there'. So for starters, looking just at application (and system) containers, what do the libvirt and liblxc projects want to see in kernel support that is currently missing? Are there specific things that should be done soon to make containers more useful and usable? More generally, the topic raises the question... what 'end-games' are there? A few I can think of off-hand include: 1. resource control We intend to hold a io-controller minisummit before KS, we should have updates on that front. We also need to discuss CPU hard limits and Memory soft limits. We need control for memory large page, mlock, OOM notification support, shared page accounting, etc. Eventually on the libvirt front, we want to isolate cgroup and lxc support into individual components (long term) Thanks, Balbir. By the last sentence, are you talking about having cgroup in its own libcgroup, or do you mean something else? On the topic of cgroups, does anyone not agree that we should try to get rid of the ns cgroup, at least once user namespaces can prevent root in a container from escaping their cgroup? thanks, -serge -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] kernel summit topic - 'containers end-game'
* Serge E. Hallyn se...@us.ibm.com [2009-06-30 15:06:13]: Quoting Balbir Singh (bal...@linux.vnet.ibm.com): On Tue, Jun 23, 2009 at 8:26 PM, Serge E. Hallynse...@us.ibm.com wrote: A topic on ksummit agenda is 'containers end-game and how do we get there'. So for starters, looking just at application (and system) containers, what do the libvirt and liblxc projects want to see in kernel support that is currently missing? Are there specific things that should be done soon to make containers more useful and usable? More generally, the topic raises the question... what 'end-games' are there? A few I can think of off-hand include: 1. resource control We intend to hold a io-controller minisummit before KS, we should have updates on that front. We also need to discuss CPU hard limits and Memory soft limits. We need control for memory large page, mlock, OOM notification support, shared page accounting, etc. Eventually on the libvirt front, we want to isolate cgroup and lxc support into individual components (long term) Thanks, Balbir. By the last sentence, are you talking about having cgroup in its own libcgroup, or do you mean something else? On the topic of cgroups, does anyone not agree that we should try to get rid of the ns cgroup, at least once user namespaces can prevent root in a container from escaping their cgroup? I would have no objections to trying to obsolete ns cgroup once user namespaces can do what you suggest. -- Balbir -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] kernel summit topic - 'containers end-game'
On Tue, Jun 23, 2009 at 8:26 PM, Serge E. Hallynse...@us.ibm.com wrote: A topic on ksummit agenda is 'containers end-game and how do we get there'. So for starters, looking just at application (and system) containers, what do the libvirt and liblxc projects want to see in kernel support that is currently missing? Are there specific things that should be done soon to make containers more useful and usable? More generally, the topic raises the question... what 'end-games' are there? A few I can think of off-hand include: 1. resource control We intend to hold a io-controller minisummit before KS, we should have updates on that front. We also need to discuss CPU hard limits and Memory soft limits. We need control for memory large page, mlock, OOM notification support, shared page accounting, etc. Eventually on the libvirt front, we want to isolate cgroup and lxc support into individual components (long term) 2. lightweight virtual servers 3. (or 2.5) unprivileged containers/jail-on-steroids (lightweight virtual servers in which you might, just maybe, almost, be able to give away a root account, at least as much as you could do so with a kvm/qemu/xen partition) 4. checkpoint, restart, and migration For each end-game, what kernel pieces do we think are missing? For instance, people seem agreed that resource control needs io control :) Containers imo need a user namespace. I think there are quite a few network namespace exploiters who require sysfs directory tagging (or some equivalent) to allow us to migrate physical devices into network namespaces. And checkpoint/restart needs... checkpoint/restart. Balbir Singh -- Libvir-list mailing list Libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list