"Serge E. Hallyn" writes:
>> I was aware of FUSE but hadn't ever looked at it much. Looking at it
>> now, this isn't going to satisfy any of the use cases I know about,
>> which are wanting to use filesystems supported in-kernel (isofs, ext*).
>> I don't see that any of these have a FUSE implement
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Mon, 2014-05-26 at 00:24 +0200, Serge E. Hallyn wrote:
> > Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > > On Sat, 2014-05-24 at 22:25 +, Serge Hallyn wrote:
> > > > Quoting James Bottomley (james.botto
Quoting Seth Forshee (seth.fors...@canonical.com):
> On Fri, May 23, 2014 at 03:23:50PM -0700, Eric W. Biederman wrote:
> > Serge Hallyn writes:
> >
> > > Quoting Eric W. Biederman (ebied...@xmission.com):
> > >>
> > >>
> > >> >> Ultimately the technical challenge is how do we create a block de
On Fri, May 23, 2014 at 03:23:50PM -0700, Eric W. Biederman wrote:
> Serge Hallyn writes:
>
> > Quoting Eric W. Biederman (ebied...@xmission.com):
> >>
> >>
> >> >> Ultimately the technical challenge is how do we create a block device
> >> >> that is safe for a user who does not have any capabi
On Mon, 2014-05-26 at 00:24 +0200, Serge E. Hallyn wrote:
> Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > On Sat, 2014-05-24 at 22:25 +, Serge Hallyn wrote:
> > > Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > > > On Fri, 2014-05-23 at 11:20 +0300, M
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Sat, 2014-05-24 at 22:25 +, Serge Hallyn wrote:
> > Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > > On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote:
> > > > On 05/20/2014 05:19 PM, Serge Hallyn
On Sat, 2014-05-24 at 22:25 +, Serge Hallyn wrote:
> Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> > On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote:
> > > On 05/20/2014 05:19 PM, Serge Hallyn wrote:
> > > > Quoting Andy Lutomirski (l...@amacapital.net):
> > > >> On
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote:
> > On 05/20/2014 05:19 PM, Serge Hallyn wrote:
> > > Quoting Andy Lutomirski (l...@amacapital.net):
> > >> On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
> > >>>
> > >>>
Serge Hallyn writes:
> Quoting Eric W. Biederman (ebied...@xmission.com):
>>
>>
>> >> Ultimately the technical challenge is how do we create a block device
>> >> that is safe for a user who does not have any capabilities to use, and
>> >> what can we do with that block device to make it useful.
On Fri, May 23, 2014 at 6:16 AM, James Bottomley
wrote:
> On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote:
>> On 05/20/2014 05:19 PM, Serge Hallyn wrote:
>> > Quoting Andy Lutomirski (l...@amacapital.net):
>> >> On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
>> >>>
>> >>> Quoting Richa
On 5/23/2014 4:20 AM, Marian Marinov wrote:
Can I suggest the usage of the devices cgroup to achieve that?
Marian
We make use of devices cgroup as part of our overall solution. Given
that systemd has some embedded policy for the start of udev in a
container, we needed to enable CAP_MKNOD with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 05/20/2014 05:19 PM, Serge Hallyn wrote:
> Quoting Andy Lutomirski (l...@amacapital.net):
>> On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
>>>
>>> Quoting Richard Weinberger (rich...@nod.at):
Am 15.05.2014 21:50, schrieb Serge Hallyn:
>>>
On Fri, 2014-05-23 at 11:20 +0300, Marian Marinov wrote:
> On 05/20/2014 05:19 PM, Serge Hallyn wrote:
> > Quoting Andy Lutomirski (l...@amacapital.net):
> >> On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
> >>>
> >>> Quoting Richard Weinberger (rich...@nod.at):
> Am 15.05.2014 21:50, sch
I've been working on this issue for a while as my use case is having
containers as virtual desktops for users, that run X, and allow sharing
of the desktop via injection of displays to the container, as well as
mice/keyboard using a remote usb ip solution. To make this work, we
needed udev mes
Quoting Eric W. Biederman (ebied...@xmission.com):
>
>
> >> Ultimately the technical challenge is how do we create a block device
> >> that is safe for a user who does not have any capabilities to use, and
> >> what can we do with that block device to make it useful.
> >
> > Yes, and I'd like to
>> Ultimately the technical challenge is how do we create a block device
>> that is safe for a user who does not have any capabilities to use, and
>> what can we do with that block device to make it useful.
>
> Yes, and I'd like to get started solving those challenges. But I also
> don't think we
On Mon, May 19, 2014 at 05:04:55PM -0700, Eric W. Biederman wrote:
> Seth Forshee writes:
>
> > What I set out for was feature parity between loop devices in a secure
> > container and loop devices on the host. Since some operations currently
> > check for system-wide CAP_SYS_ADMIN, the only way
Quoting Serge Hallyn (serge.hal...@ubuntu.com):
> Quoting Seth Forshee (seth.fors...@canonical.com):
> > On Sun, May 18, 2014 at 04:44:58AM +0200, Serge E. Hallyn wrote:
> > > Quoting Seth Forshee (seth.fors...@canonical.com):
> > > > On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrot
Quoting Andy Lutomirski (l...@amacapital.net):
> On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
> >
> > Quoting Richard Weinberger (rich...@nod.at):
> > > Am 15.05.2014 21:50, schrieb Serge Hallyn:
> > > > Quoting Richard Weinberger (richard.weinber...@gmail.com):
> > > >> On Thu, May 15, 2014
Quoting Michael H. Warfield (m...@wittsend.com):
> On Mon, 2014-05-19 at 17:04 -0700, Eric W. Biederman wrote:
> > Seth Forshee writes:
> >
> > > What I set out for was feature parity between loop devices in a secure
> > > container and loop devices on the host. Since some operations currently
>
Quoting Seth Forshee (seth.fors...@canonical.com):
> On Sun, May 18, 2014 at 04:44:58AM +0200, Serge E. Hallyn wrote:
> > Quoting Seth Forshee (seth.fors...@canonical.com):
> > > On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrote:
> > > > Greg Kroah-Hartman writes:
> > > >
> > > >
On Mon, 2014-05-19 at 17:04 -0700, Eric W. Biederman wrote:
> Seth Forshee writes:
>
> > What I set out for was feature parity between loop devices in a secure
> > container and loop devices on the host. Since some operations currently
> > check for system-wide CAP_SYS_ADMIN, the only way I see t
Seth Forshee writes:
> What I set out for was feature parity between loop devices in a secure
> container and loop devices on the host. Since some operations currently
> check for system-wide CAP_SYS_ADMIN, the only way I see to accomplish
> this is to push knowledge of the user namespace farther
On May 15, 2014 1:26 PM, "Serge E. Hallyn" wrote:
>
> Quoting Richard Weinberger (rich...@nod.at):
> > Am 15.05.2014 21:50, schrieb Serge Hallyn:
> > > Quoting Richard Weinberger (richard.weinber...@gmail.com):
> > >> On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
> > >> wrote:
> > >>> Then
On Sun, May 18, 2014 at 04:44:58AM +0200, Serge E. Hallyn wrote:
> Quoting Seth Forshee (seth.fors...@canonical.com):
> > On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrote:
> > > Greg Kroah-Hartman writes:
> > >
> > > > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
Quoting Seth Forshee (seth.fors...@canonical.com):
> On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrote:
> > Greg Kroah-Hartman writes:
> >
> > > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > >> > I think having to pick and choose what device nodes you want in a
Quoting James Bottomley (james.bottom...@hansenpartnership.com):
> On Fri, 2014-05-16 at 11:57 -0700, Greg Kroah-Hartman wrote:
> > On Fri, May 16, 2014 at 09:06:07AM -0500, Seth Forshee wrote:
> > > On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > > > On Fri, May 16, 2014 at
On Thu, 2014-05-15 at 21:42 -0400, Michael H. Warfield wrote:
> On Thu, 2014-05-15 at 15:15 -0700, Greg Kroah-Hartman wrote:
> > > PS - Apparently both parallels and Michael independently
> > > project devices which are hot-plugged on the host into containers.
> > > That also seems like something w
On Fri, May 16, 2014 at 12:28:35PM -0700, James Bottomley wrote:
> On Fri, 2014-05-16 at 11:57 -0700, Greg Kroah-Hartman wrote:
> > On Fri, May 16, 2014 at 09:06:07AM -0500, Seth Forshee wrote:
> > > On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > > > On Fri, May 16, 2014 at
On Fri, May 16, 2014 at 09:31:37PM -0700, Eric W. Biederman wrote:
> Greg Kroah-Hartman writes:
>
> > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> >> > I think having to pick and choose what device nodes you want in a
> >> > container is a good thing. Becides, you would have t
On Fri, 2014-05-16 at 11:57 -0700, Greg Kroah-Hartman wrote:
> On Fri, May 16, 2014 at 09:06:07AM -0500, Seth Forshee wrote:
> > On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > > > I think having to pick a
On Fri, May 16, 2014 at 11:28:28AM -0400, Michael H. Warfield wrote:
> On Fri, 2014-05-16 at 09:06 -0500, Seth Forshee wrote:
> > On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > > > I think having to pick
On Thu, 2014-05-15 at 21:35 -0700, Greg Kroah-Hartman wrote:
> On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > I think having to pick and choose what device nodes you want in a
> > > container is a good thing. Becides, you would have to do the same thing
> > > in the kernel any
Greg Kroah-Hartman writes:
> On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
>> > I think having to pick and choose what device nodes you want in a
>> > container is a good thing. Becides, you would have to do the same thing
>> > in the kernel anyway, what's wrong with userspace ma
On Fri, 2014-05-16 at 22:17 +0200, Christian Seiler wrote:
> Hi,
> (removed every CC but yourself and lxc-devel, don't need to spam LKML
> for this)
> > Woa! Time out... Sorry, this will be an off topic aside.
> >
> > Loop devices support partitions? I'd love to know how that works.
> Use ut
Hi,
(removed every CC but yourself and lxc-devel, don't need to spam LKML
for this)
> Woa! Time out... Sorry, this will be an off topic aside.
>
> Loop devices support partitions? I'd love to know how that works.
Use util-linux >= 2.21 with Kernel >= 3.1:
losetup -P -f filename
Creates: /de
On Fri, 2014-05-16 at 12:20 -0700, James Bottomley wrote:
> On Thu, 2014-05-15 at 21:42 -0400, Michael H. Warfield wrote:
> > On Thu, 2014-05-15 at 15:15 -0700, Greg Kroah-Hartman wrote:
> > > > PS - Apparently both parallels and Michael independently
> > > > project devices which are hot-plugged o
On Fri, May 16, 2014 at 09:06:07AM -0500, Seth Forshee wrote:
> On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > > I think having to pick and choose what device nodes you want in a
> > > > container is a good
On Fri, 2014-05-16 at 09:06 -0500, Seth Forshee wrote:
> On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> > On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > > I think having to pick and choose what device nodes you want in a
> > > > container is a good thing.
On Thu, May 15, 2014 at 09:35:32PM -0700, Greg Kroah-Hartman wrote:
> On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > > I think having to pick and choose what device nodes you want in a
> > > container is a good thing. Becides, you would have to do the same thing
> > > in the ker
Am 15.05.2014 22:26, schrieb Serge E. Hallyn:
> Quoting Richard Weinberger (rich...@nod.at):
>> Am 15.05.2014 21:50, schrieb Serge Hallyn:
>>> Quoting Richard Weinberger (richard.weinber...@gmail.com):
On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
wrote:
> Then don't use a cont
On Fri, May 16, 2014 at 3:42 AM, Michael H. Warfield wrote:
> On Thu, 2014-05-15 at 15:15 -0700, Greg Kroah-Hartman wrote:
>> On Thu, May 15, 2014 at 05:42:54PM +, Serge Hallyn wrote:
>> > What exactly defines '"normal" use case for a container'?
>
>> Well, I'd say "acting like a virtual machi
On Fri, May 16, 2014 at 01:49:59AM +, Serge Hallyn wrote:
> > I think having to pick and choose what device nodes you want in a
> > container is a good thing. Becides, you would have to do the same thing
> > in the kernel anyway, what's wrong with userspace making the decision
> > here, especi
Quoting Greg Kroah-Hartman (gre...@linuxfoundation.org):
> On Thu, May 15, 2014 at 05:42:54PM +, Serge Hallyn wrote:
> > What exactly defines '"normal" use case for a container'?
>
> Well, I'd say "acting like a virtual machine" is a good start :)
>
> > Not too long ago much of what we can no
On Thu, 2014-05-15 at 15:15 -0700, Greg Kroah-Hartman wrote:
> On Thu, May 15, 2014 at 05:42:54PM +, Serge Hallyn wrote:
> > What exactly defines '"normal" use case for a container'?
> Well, I'd say "acting like a virtual machine" is a good start :)
Ok... And virtual machines (VirtualBox, VM
On Thu, May 15, 2014 at 05:42:54PM +, Serge Hallyn wrote:
> What exactly defines '"normal" use case for a container'?
Well, I'd say "acting like a virtual machine" is a good start :)
> Not too long ago much of what we can now do with network namespaces
> was not a normal container use case.
Quoting Richard Weinberger (rich...@nod.at):
> Am 15.05.2014 21:50, schrieb Serge Hallyn:
> > Quoting Richard Weinberger (richard.weinber...@gmail.com):
> >> On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
> >> wrote:
> >>> Then don't use a container to build such a thing, or fix the build
> >
On Wed, May 14, 2014 at 10:17:31PM -0400, Michael H. Warfield wrote:
> > > Using devtmpfs is one possible
> > > solution, and it would have the added benefit of making container setup
> > > simpler. But simply letting containers mount devtmpfs isn't sufficient
> > > since the container may need to
On Thu, May 15, 2014 at 05:42:54PM +, Serge Hallyn wrote:
> > > Serge mentioned something to me about a loopdevfs (?) thing that someone
> > > else is working on. That would seem to be a better solution in this
> > > particular case but I don't know much about it or where it's at.
> >
> > Ok,
Am 15.05.2014 21:50, schrieb Serge Hallyn:
> Quoting Richard Weinberger (richard.weinber...@gmail.com):
>> On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
>> wrote:
>>> Then don't use a container to build such a thing, or fix the build
>>> scripts to not do that :)
>>
>> I second this.
>> To m
Quoting Richard Weinberger (richard.weinber...@gmail.com):
> On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
> wrote:
> > Then don't use a container to build such a thing, or fix the build
> > scripts to not do that :)
>
> I second this.
> To me it looks like some folks try to (ab)use Linux c
On Thu, May 15, 2014 at 4:08 PM, Greg Kroah-Hartman
wrote:
> Then don't use a container to build such a thing, or fix the build
> scripts to not do that :)
I second this.
To me it looks like some folks try to (ab)use Linux containers
for purposes where KVM would much better fit in.
Please don't p
Quoting Greg Kroah-Hartman (gre...@linuxfoundation.org):
> On Thu, May 15, 2014 at 09:42:17AM -0400, Michael H. Warfield wrote:
> > On Wed, 2014-05-14 at 21:00 -0700, Greg Kroah-Hartman wrote:
> > > On Wed, May 14, 2014 at 10:15:27PM -0500, Seth Forshee wrote:
> > > > On Wed, May 14, 2014 at 10:17:
On Thu, May 15, 2014 at 09:42:17AM -0400, Michael H. Warfield wrote:
> On Wed, 2014-05-14 at 21:00 -0700, Greg Kroah-Hartman wrote:
> > On Wed, May 14, 2014 at 10:15:27PM -0500, Seth Forshee wrote:
> > > On Wed, May 14, 2014 at 10:17:31PM -0400, Michael H. Warfield wrote:
> > > > > > Using devtmpfs
On Wed, 2014-05-14 at 21:00 -0700, Greg Kroah-Hartman wrote:
> On Wed, May 14, 2014 at 10:15:27PM -0500, Seth Forshee wrote:
> > On Wed, May 14, 2014 at 10:17:31PM -0400, Michael H. Warfield wrote:
> > > > > Using devtmpfs is one possible
> > > > > solution, and it would have the added benefit of m
On Wed, May 14, 2014 at 10:15:27PM -0500, Seth Forshee wrote:
> On Wed, May 14, 2014 at 10:17:31PM -0400, Michael H. Warfield wrote:
> > > > Using devtmpfs is one possible
> > > > solution, and it would have the added benefit of making container setup
> > > > simpler. But simply letting containers
On Wed, 2014-05-14 at 18:32 -0700, Greg Kroah-Hartman wrote:
> On Wed, May 14, 2014 at 04:34:48PM -0500, Seth Forshee wrote:
> > Unpriveleged containers cannot run mknod, making it difficult to support
> > devices which appear at runtime.
> Wait.
> Why would you even want a container to see a "ne
On Wed, May 14, 2014 at 04:34:48PM -0500, Seth Forshee wrote:
> Unpriveleged containers cannot run mknod, making it difficult to support
> devices which appear at runtime.
Wait.
Why would you even want a container to see a "new" device? That's the
whole point, your container should see a "clean"
Unpriveleged containers cannot run mknod, making it difficult to support
devices which appear at runtime. Using devtmpfs is one possible
solution, and it would have the added benefit of making container setup
simpler. But simply letting containers mount devtmpfs isn't sufficient
since the container
59 matches
Mail list logo
