"Serge E. Hallyn" writes:
>> I was aware of FUSE but hadn't ever looked at it much. Looking at it
>> now, this isn't going to satisfy any of the use cases I know about,
>> which are wanting to use filesystems supported in-kernel (isofs, ext*).
>> I don't see that any of these have a FUSE implement
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Mon, 2014-05-26 at 00:24 +0200, Serge E. Hallyn wrote:
> > Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > > On Sat, 2014-05-24 at 22:25 +, Serge Hallyn wrote:
> > > > Quoting James Bottomley (james.botto
Quoting Seth Forshee (seth.fors...@canonical.com):
> On Fri, May 23, 2014 at 03:23:50PM -0700, Eric W. Biederman wrote:
> > Serge Hallyn writes:
> >
> > > Quoting Eric W. Biederman (ebied...@xmission.com):
> > >>
> > >>
> > >> >> Ultimately the technical challenge is how do we create a block de
On Fri, May 23, 2014 at 03:23:50PM -0700, Eric W. Biederman wrote:
> Serge Hallyn writes:
>
> > Quoting Eric W. Biederman (ebied...@xmission.com):
> >>
> >>
> >> >> Ultimately the technical challenge is how do we create a block device
> >> >> that is safe for a user who does not have any capabi
On Mon, 2014-05-26 at 00:24 +0200, Serge E. Hallyn wrote:
> Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > On Sat, 2014-05-24 at 22:25 +, Serge Hallyn wrote:
> > > Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > > > On Fri, 2014-05-23 at 11:20 +0300, M
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Sat, 2014-05-24 at 22:25 +, Serge Hallyn wrote:
> > Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > > On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote:
> > > > On 05/20/2014 05:19 PM, Serge Hallyn
On Sat, 2014-05-24 at 22:25 +, Serge Hallyn wrote:
> Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote:
> > > On 05/20/2014 05:19 PM, Serge Hallyn wrote:
> > > > Quoting Andy Lutomirski (l...@amacapital.net):
> > > >> On
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote:
> > On 05/20/2014 05:19 PM, Serge Hallyn wrote:
> > > Quoting Andy Lutomirski (l...@amacapital.net):
> > >> On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
> > >>>
> > >>>
Serge Hallyn writes:
> Quoting Eric W. Biederman (ebied...@xmission.com):
>>
>>
>> >> Ultimately the technical challenge is how do we create a block device
>> >> that is safe for a user who does not have any capabilities to use, and
>> >> what can we do with that block device to make it useful.
On Fri, May 23, 2014 at 6:16 AM, James Bottomley
wrote:
> On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote:
>> On 05/20/2014 05:19 PM, Serge Hallyn wrote:
>> > Quoting Andy Lutomirski (l...@amacapital.net):
>> >> On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
>> >>>
>> >>> Quoting Richa
On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote:
> On 05/20/2014 05:19 PM, Serge Hallyn wrote:
> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
> >>>
> >>> Quoting Richard Weinberger (rich...@nod.at):
> Am 15.05.2014 21:50, sch
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/20/2014 05:19 PM, Serge Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
>>>
>>> Quoting Richard Weinberger (rich...@nod.at):
Am 15.05.2014 21:50, schrieb Serge Hallyn:
>>>
Quoting Eric W. Biederman (ebied...@xmission.com):
>
>
> >> Ultimately the technical challenge is how do we create a block device
> >> that is safe for a user who does not have any capabilities to use, and
> >> what can we do with that block device to make it useful.
> >
> > Yes, and I'd like to
>> Ultimately the technical challenge is how do we create a block device
>> that is safe for a user who does not have any capabilities to use, and
>> what can we do with that block device to make it useful.
>
> Yes, and I'd like to get started solving those challenges. But I also
> don't think we
Quoting Serge Hallyn (serge.hal...@ubuntu.com):
> Quoting Seth Forshee (seth.fors...@canonical.com):
> > On Sun, May 18, 2014 at 04:44:58AM +0200, Serge E. Hallyn wrote:
> > > Quoting Seth Forshee (seth.fors...@canonical.com):
> > > > On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrot
On Mon, May 19, 2014 at 05:04:55PM -0700, Eric W. Biederman wrote:
> Seth Forshee writes:
>
> > What I set out for was feature parity between loop devices in a secure
> > container and loop devices on the host. Since some operations currently
> > check for system-wide CAP_SYS_ADMIN, the only way
Quoting Andy Lutomirski (l...@amacapital.net):
> On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
> >
> > Quoting Richard Weinberger (rich...@nod.at):
> > > Am 15.05.2014 21:50, schrieb Serge Hallyn:
> > > > Quoting Richard Weinberger (richard.weinber...@gmail.com):
> > > >> On Thu, May 15, 2014
Quoting Michael H. Warfield (m...@wittsend.com):
> On Mon, 2014-05-19 at 17:04 -0700, Eric W. Biederman wrote:
> > Seth Forshee writes:
> >
> > > What I set out for was feature parity between loop devices in a secure
> > > container and loop devices on the host. Since some operations currently
>
Quoting Seth Forshee (seth.fors...@canonical.com):
> On Sun, May 18, 2014 at 04:44:58AM +0200, Serge E. Hallyn wrote:
> > Quoting Seth Forshee (seth.fors...@canonical.com):
> > > On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrote:
> > > > Greg Kroah-Hartman writes:
> > > >
> > > >
On Mon, 2014-05-19 at 17:04 -0700, Eric W. Biederman wrote:
> Seth Forshee writes:
>
> > What I set out for was feature parity between loop devices in a secure
> > container and loop devices on the host. Since some operations currently
> > check for system-wide CAP_SYS_ADMIN, the only way I see t
Seth Forshee writes:
> What I set out for was feature parity between loop devices in a secure
> container and loop devices on the host. Since some operations currently
> check for system-wide CAP_SYS_ADMIN, the only way I see to accomplish
> this is to push knowledge of the user namespace farther
On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
>
> Quoting Richard Weinberger (rich...@nod.at):
> > Am 15.05.2014 21:50, schrieb Serge Hallyn:
> > > Quoting Richard Weinberger (richard.weinber...@gmail.com):
> > >> On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
> > >> wrote:
> > >>> Then
On Sun, May 18, 2014 at 04:44:58AM +0200, Serge E. Hallyn wrote:
> Quoting Seth Forshee (seth.fors...@canonical.com):
> > On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrote:
> > > Greg Kroah-Hartman writes:
> > >
> > > > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
Quoting Seth Forshee (seth.fors...@canonical.com):
> On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrote:
> > Greg Kroah-Hartman writes:
> >
> > > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > >> > I think having to pick and choose what device nodes you want in a
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Fri, 2014-05-16 at 11:57 -0700, Greg Kroah-Hartman wrote:
> > On Fri, May 16, 2014 at 09:06:07AM -0500, Seth Forshee wrote:
> > > On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > > > On Fri, May 16, 2014 at
On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrote:
> Greg Kroah-Hartman writes:
>
> > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> >> > I think having to pick and choose what device nodes you want in a
> >> > container is a good thing. Becides, you would have t
On Thu, 2014-05-15 at 21:35 -0700, Greg Kroah-Hartman wrote:
> On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > I think having to pick and choose what device nodes you want in a
> > > container is a good thing. Becides, you would have to do the same thing
> > > in the kernel any
Greg Kroah-Hartman writes:
> On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
>> > I think having to pick and choose what device nodes you want in a
>> > container is a good thing. Becides, you would have to do the same thing
>> > in the kernel anyway, what's wrong with userspace ma
On Fri, May 16, 2014 at 12:28:35PM -0700, James Bottomley wrote:
> On Fri, 2014-05-16 at 11:57 -0700, Greg Kroah-Hartman wrote:
> > On Fri, May 16, 2014 at 09:06:07AM -0500, Seth Forshee wrote:
> > > On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > > > On Fri, May 16, 2014 at
On Fri, 2014-05-16 at 12:20 -0700, James Bottomley wrote:
> On Thu, 2014-05-15 at 21:42 -0400, Michael H. Warfield wrote:
> > On Thu, 2014-05-15 at 15:15 -0700, Greg Kroah-Hartman wrote:
> > > > PS - Apparently both parallels and Michael independently
> > > > project devices which are hot-plugged o
On Fri, 2014-05-16 at 11:57 -0700, Greg Kroah-Hartman wrote:
> On Fri, May 16, 2014 at 09:06:07AM -0500, Seth Forshee wrote:
> > On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > > > I think having to pick a
On Thu, 2014-05-15 at 21:42 -0400, Michael H. Warfield wrote:
> On Thu, 2014-05-15 at 15:15 -0700, Greg Kroah-Hartman wrote:
> > > PS - Apparently both parallels and Michael independently
> > > project devices which are hot-plugged on the host into containers.
> > > That also seems like something w
On Fri, May 16, 2014 at 09:06:07AM -0500, Seth Forshee wrote:
> On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > > I think having to pick and choose what device nodes you want in a
> > > > container is a good
On Fri, May 16, 2014 at 11:28:28AM -0400, Michael H. Warfield wrote:
> On Fri, 2014-05-16 at 09:06 -0500, Seth Forshee wrote:
> > On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > > > I think having to pick
On Fri, 2014-05-16 at 09:06 -0500, Seth Forshee wrote:
> On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > > I think having to pick and choose what device nodes you want in a
> > > > container is a good thing.
On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > I think having to pick and choose what device nodes you want in a
> > > container is a good thing. Becides, you would have to do the same thing
> > > in the ker
On Fri, May 16, 2014 at 3:42 AM, Michael H. Warfield wrote:
> On Thu, 2014-05-15 at 15:15 -0700, Greg Kroah-Hartman wrote:
>> On Thu, May 15, 2014 at 05:42:54PM +, Serge Hallyn wrote:
>> > What exactly defines '"normal" use case for a container'?
>
>> Well, I'd say "acting like a virtual machi
On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > I think having to pick and choose what device nodes you want in a
> > container is a good thing. Becides, you would have to do the same thing
> > in the kernel anyway, what's wrong with userspace making the decision
> > here, especi
Quoting Greg Kroah-Hartman (gre...@linuxfoundation.org):
> On Thu, May 15, 2014 at 05:42:54PM +, Serge Hallyn wrote:
> > What exactly defines '"normal" use case for a container'?
>
> Well, I'd say "acting like a virtual machine" is a good start :)
>
> > Not too long ago much of what we can no
On Thu, 2014-05-15 at 15:15 -0700, Greg Kroah-Hartman wrote:
> On Thu, May 15, 2014 at 05:42:54PM +, Serge Hallyn wrote:
> > What exactly defines '"normal" use case for a container'?
> Well, I'd say "acting like a virtual machine" is a good start :)
Ok... And virtual machines (VirtualBox, VM
On Thu, May 15, 2014 at 05:42:54PM +, Serge Hallyn wrote:
> What exactly defines '"normal" use case for a container'?
Well, I'd say "acting like a virtual machine" is a good start :)
> Not too long ago much of what we can now do with network namespaces
> was not a normal container use case.
Am 15.05.2014 22:26, schrieb Serge E. Hallyn:
> Quoting Richard Weinberger (rich...@nod.at):
>> Am 15.05.2014 21:50, schrieb Serge Hallyn:
>>> Quoting Richard Weinberger (richard.weinber...@gmail.com):
On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
wrote:
> Then don't use a cont
Quoting Richard Weinberger (rich...@nod.at):
> Am 15.05.2014 21:50, schrieb Serge Hallyn:
> > Quoting Richard Weinberger (richard.weinber...@gmail.com):
> >> On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
> >> wrote:
> >>> Then don't use a container to build such a thing, or fix the build
> >
Am 15.05.2014 21:50, schrieb Serge Hallyn:
> Quoting Richard Weinberger (richard.weinber...@gmail.com):
>> On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
>> wrote:
>>> Then don't use a container to build such a thing, or fix the build
>>> scripts to not do that :)
>>
>> I second this.
>> To m
Quoting Richard Weinberger (richard.weinber...@gmail.com):
> On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
> wrote:
> > Then don't use a container to build such a thing, or fix the build
> > scripts to not do that :)
>
> I second this.
> To me it looks like some folks try to (ab)use Linux c
On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
wrote:
> Then don't use a container to build such a thing, or fix the build
> scripts to not do that :)
I second this.
To me it looks like some folks try to (ab)use Linux containers
for purposes where KVM would much better fit in.
Please don't p
On Thu, May 15, 2014 at 05:42:54PM +, Serge Hallyn wrote:
> > > Serge mentioned something to me about a loopdevfs (?) thing that someone
> > > else is working on. That would seem to be a better solution in this
> > > particular case but I don't know much about it or where it's at.
> >
> > Ok,
Quoting Greg Kroah-Hartman (gre...@linuxfoundation.org):
> On Thu, May 15, 2014 at 09:42:17AM -0400, Michael H. Warfield wrote:
> > On Wed, 2014-05-14 at 21:00 -0700, Greg Kroah-Hartman wrote:
> > > On Wed, May 14, 2014 at 10:15:27PM -0500, Seth Forshee wrote:
> > > > On Wed, May 14, 2014 at 10:17:
On Thu, May 15, 2014 at 09:42:17AM -0400, Michael H. Warfield wrote:
> On Wed, 2014-05-14 at 21:00 -0700, Greg Kroah-Hartman wrote:
> > On Wed, May 14, 2014 at 10:15:27PM -0500, Seth Forshee wrote:
> > > On Wed, May 14, 2014 at 10:17:31PM -0400, Michael H. Warfield wrote:
> > > > > > Using devtmpfs
On Wed, 2014-05-14 at 21:00 -0700, Greg Kroah-Hartman wrote:
> On Wed, May 14, 2014 at 10:15:27PM -0500, Seth Forshee wrote:
> > On Wed, May 14, 2014 at 10:17:31PM -0400, Michael H. Warfield wrote:
> > > > > Using devtmpfs is one possible
> > > > > solution, and it would have the added benefit of m
On Wed, May 14, 2014 at 10:15:27PM -0500, Seth Forshee wrote:
> On Wed, May 14, 2014 at 10:17:31PM -0400, Michael H. Warfield wrote:
> > > > Using devtmpfs is one possible
> > > > solution, and it would have the added benefit of making container setup
> > > > simpler. But simply letting containers
On Wed, May 14, 2014 at 10:17:31PM -0400, Michael H. Warfield wrote:
> > > Using devtmpfs is one possible
> > > solution, and it would have the added benefit of making container setup
> > > simpler. But simply letting containers mount devtmpfs isn't sufficient
> > > since the container may need to
On Wed, 2014-05-14 at 18:32 -0700, Greg Kroah-Hartman wrote:
> On Wed, May 14, 2014 at 04:34:48PM -0500, Seth Forshee wrote:
> > Unpriveleged containers cannot run mknod, making it difficult to support
> > devices which appear at runtime.
> Wait.
> Why would you even want a container to see a "ne
53 matches
Mail list logo