On Fri, Feb 3, 2017 at 5:22 PM, Alexei Starovoitov <a...@fb.com> wrote: > Note that all bpf programs types are global.
I don't think this has a clear enough meaning to work with. In particular, I think that, if you have some software that installs cgroup+bpf programs and you run it in a container, then I have no idea what "global" means in this context, and you may run into trouble with this patch once namespace ids become migratable because the cgroup+bpf program in the container would potentially see dev+ino numbers from *outside* the container. What happens when you migrate it? I think that this patch plus a minor change to prevent installing cgroup+bpf programs if the installer isn't in the init netns + fs ns would work because it would allow new, migratable semantics to be added down the road to relax the restriction. Eric, what do you think?
