Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932405AbVLPUqO (ORCPT ); Fri, 16 Dec 2005 15:46:14 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S932407AbVLPUqO (ORCPT ); Fri, 16 Dec 2005 15:46:14 -0500 Received: from e33.co.us.ibm.com ([32.97.110.151]:36540 "EHLO e33.co.us.ibm.com") by vger.kernel.org with ESMTP id S932405AbVLPUqN (ORCPT ); Fri, 16 Dec 2005 15:46:13 -0500 To: Dave Hansen cc: Matt Helsley , Hubertus Franke , CKRM-Tech , LKML , LSE , vserver@list.linux-vserver.org, Andrew Morton , Rik van Riel , pagg@oss.sgi.com Reply-To: Gerrit Huizenga From: Gerrit Huizenga Subject: Re: [ckrm-tech] Re: [RFC][patch 00/21] PID Virtualization: Overview and Patches In-reply-to: Your message of Fri, 16 Dec 2005 09:35:19 PST. <1134754519.19403.6.camel@localhost> Date: Fri, 16 Dec 2005 12:45:42 -0800 Message-Id: Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1798 Lines: 37 On Fri, 16 Dec 2005 09:35:19 PST, Dave Hansen wrote: > On Thu, 2005-12-15 at 19:28 -0800, Gerrit Huizenga wrote: > > In the pid virtualization, I would think that tasks can move between > > containers as well, > > I don't think tasks can not be permitted to move between containers. As > a simple exercise, imagine that you have two processes with the same > pid, one in container A and one in container B. You wish to have them > both run in container A. They can't both have the same pid. What do > you do? > > I've been talking a lot lately about how important filesystem isolation > between containers is to implement containers properly. Isolating the > filesystem namespaces makes it much easier to do things like fs-based > shared memory during a checkpoint/resume. If we want to allow tasks to > move around, we'll have to throw out this entire concept. That means > that a _lot_ of things get a notch closer to the too-costly-to-implement > category. Interesting... So how to tasks get *into* a container? And can they ever get back "out" of a container? Are most processes on the system initially not in a container? And then they can be stuffed in a container? And then containers can be moved around or be isolated from each other? And, is pid virtualization the point where this happens? Or is that a slightly higher level? In other words, is pid virtualization the full implementation of container isolation? Or is it a significant element on which additional policy, restrictions, and usage models can be built? gerrit - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/