[EMAIL PROTECTED] (Herbert Poetzl) writes: >> > > Using this new system call, chmod 000 is not needed anymore >> > > and we can support vservers inside vservers. >> > why don`t use private namespace ? >> >> How does it work ? > > you should join a discussion with Enrico and me on IRC > .. basically it is based on CLONE_NEWNS() and relatives ...
IMO, it is not doable with current technology: * CLONE_NEWNS has strange behavior[1]; this will be fixed[2] in 2.4.23 probably * CLONE_NEWNS + pivot_root are requiring CAP_SYS_ADMIN (which is not acceptably for vservers); using a new capability for CLONE_NEWNS seems to be possible, but pivot_root(2) needs additional logic. Else, when executed in root-namespace, pivot_root(2) can do really bad things with your system. * joining foreign namespaces (e.g. for 'vserver ... enter') is not implemented in current kernel; I saw patches but AFAIS, they are missing important logic (e.g. no capability-check). This functionality will need hierarchical contextes also (e.g. parent-vserver can enter namespace of child-vservers, but not this of if siblings or parents). Enrico Footnotes: [1] http://www.tu-chemnitz.de/~ensc/nst.c [2] http://linux.bkbits.net:8080/linux-2.4/diffs/fs/[EMAIL PROTECTED]|[EMAIL PROTECTED]|[EMAIL PROTECTED]|hist/fs/namespace.c
