On Fri, Feb 3, 2017 at 3:08 PM, Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > On Fri, Feb 03, 2017 at 01:00:47PM -0800, Andy Lutomirski wrote: >> >> ISTM any ability to migrate namespaces and to migrate eBPF programs >> that know about namespaces needs to have the eBPF program firmly >> rooted in some namespace (or perhaps cgroup in this case) so that it > > programs are already global. We cannot break that.
I don't know what you mean here. It ought to be possible to have a (privileged) program that installs and uses cgroup+bpf programs run under CRIU and get migrated. Maybe not yet, but some day. This should be doable without the program noticing, and it would be unfortunate if the API makes this harder than necessary. > >> can see a namespaced view of the world. For this to work, presumably >> we need to make sure that eBPF programs that are installed by programs >> that are in a container don't see traffic that isn't in that >> container. > > such approach will break existing users. What existing users? The whole feature has never been in a released kernel.
