Stephen Hemminger wrote:
On Thu, 26 Oct 2006 11:44:55 +0200 Daniel Lezcano <[EMAIL PROTECTED]> wrote:
[ ... ]
Assuming you are talking about pseudo-virtualized environments, there are several different discussions.
Yes, exact, I forgot to mention that.
1. How should the namespace be isolated for the virtualized containered applications?
The network ressources should be related to the namespaces and especially the struct sock. So when a checkpoint is initiated for the container, you can identify the established connection, the timewait socket, the req queues, ... related to the container in order to freeze the traffic and checkpoint them. The IP addresses are not a valid discrimator for identifiying, for example if you have several containers interconnected into the same host.
2. How should traffic be restricted into/out of those containers. This is where existing netfilter, classification, etc, should be used. The network code is overly rich as it is, we don't need another abstraction.
Using only the netfilters you will be not able to bind to the same INADDR_ANY,port in different containers. You will need to handle several IP addresses coming from IP aliasing and check source address to be sure the source address is related to the right container and not from a primary interface probably assigned to a different container.
3. Can the virtualized containers be secure? No. we really can't keep hostile root in a container from killing system without going to a hypervisor.
That is totally true, the containers don't aim to replace full-virtualized environment.
- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
