I think it would be great if some of the people who are interested in putting host devices into a container safely would get together to discuss requirements for a sort of device multiplexor/forwarder. It could probably be based on cuse (see https://superuser.com/questions/209884/where-are-programs-that-use-cuse-character-in-user-space and https://github.com/stefanberger/swtpm for some example users) and could provide virtualized devices which provides a filtered view of the real device to several containers at the same time. Perhaps as part of this a toolsuite could be developed that would help in easily building a API filters/translators.
See also what Cellrox was trying to do https://lwn.net/Articles/564854/ It's still not clear to me what's the *right* way to containerize device access, or that this is it. In particular, creating a new device feels like much more a VM than a container thing. But it seems like at least a safe way to do this, and might lead to insights on a better way. But for many devices, just chowning it and handing it over to a container is just not safe, even if it's the best we can do right now. -serge _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
