Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4131225pxj;
        Tue, 8 Jun 2021 07:12:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz+zBWQwOSEkLyDI96IxFlxZ1uDPR9A2eFFOX8RVpfHxV9J0JI6Uz5gQMU5CD44ADk05ZZv
X-Received: by 2002:a05:6402:368:: with SMTP id s8mr26089094edw.129.1623161532051;
        Tue, 08 Jun 2021 07:12:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623161532; cv=none;
        d=google.com; s=arc-20160816;
        b=zvMUdxqd9n7sQ1vSz2GRRgDT1WLNKYakVn00E639/ckdYdQwQQf5bZhNRpd3DYXFcb
         nDBDr8uaryRFgzyATX72tvdZFj8GlwJ8BM1DwWH3MCKeaDNFI3sj1e6N0BTcKDn+zEsL
         KnbT3l1rUl8lAXumc+9esMYDYo06z2iSY62FdUOyxpwZuOFnptzfv3hJlNzmRDpacpWy
         9YWF5khniUFzqlNpXIsPER/yOhZFbamsCuy1mAbse75EC/10kzmzNNG33D4sXpESldXT
         19/qLV6hVJhtnDCduX+ESt+TU1krmYMHzvUAnZl8xvLJmy4cKqKB2S7Ap2I2gTy+XfMX
         tAkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:subject:from
         :references:cc:to:dkim-signature:dkim-signature:dkim-signature
         :dkim-signature;
        bh=VhPo8dfy0xqBD8sGYJWaEov9nrLg7JdQXq4991+PWPY=;
        b=n1hOITVyWOlpW5B3+LjacrZVxPCBM+zHef6vZx4XCeFSKIR4Y9PafWYrLdTkBwa169
         6WbQJ3juoVgDKVLX3ZfPKFGZ6IIZNqJIEz5J9svJHgYe9lOAmGpXAJ1InolBbqtnxeh7
         zqXPQ//z01eLoMN2AQPxYW5Sp8zDG0oX39M4RVJHCXThqiadQ/pguLb/aZ9vxD01rywQ
         e8cccO1WGHnRVO/Tl0UK07jDxLILwxsC5kubT2iPGp9VP9fzn/C2aWCLA0tVvLWg3QV8
         7+0CV8x0Eibk0p8pwPLgqk+cCCclSoTVzyR3saqZuECjCZ6KWgXEAHhtC0PVOvUVTCfy
         wNDA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=A1J+vmBY;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=Sfb6DVpg;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=A1J+vmBY;
       dkim=neutral (no key) header.i=@suse.de;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v11si14878648edx.139.2021.06.08.07.11.47;
        Tue, 08 Jun 2021 07:12:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=A1J+vmBY;
       dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519 header.b=Sfb6DVpg;
       dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=A1J+vmBY;
       dkim=neutral (no key) header.i=@suse.de;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232874AbhFHOMD (ORCPT <rfc822;luxiaolong211@gmail.com>
        + 99 others); Tue, 8 Jun 2021 10:12:03 -0400
Received: from smtp-out1.suse.de ([195.135.220.28]:40756 "EHLO
        smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232341AbhFHOMC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Jun 2021 10:12:02 -0400
Received: from imap.suse.de (imap-alt.suse-dmz.suse.de [192.168.254.47])
        (using TLSv1.2 with cipher ECDHE-ECDSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by smtp-out1.suse.de (Postfix) with ESMTPS id D2861219DB;
        Tue,  8 Jun 2021 14:10:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1623161408; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=VhPo8dfy0xqBD8sGYJWaEov9nrLg7JdQXq4991+PWPY=;
        b=A1J+vmBYmj0iUx39XP3PGnz5p2LG5HxgC1OO/gbmfuIrGjUOS3hGDCR8Xl/N+6kA9nhLOO
        uUj7/UsN21Sr0Yq7PNASXWpN/jcqLlQzRouA2+on2Bm4JWyj/ewmY9VAzGNUcMexFVVpr3
        SapV78epvqreCwY/362Bvh3QCr+Wdm0=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1623161408;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=VhPo8dfy0xqBD8sGYJWaEov9nrLg7JdQXq4991+PWPY=;
        b=Sfb6DVpg99StlMgZN7IhLGwY9pBKyirc1uJjGgznWIY5OgCTBWz2HZLMscv6agVTP3QykH
        TJf1rOLbuyan15AQ==
Received: from imap3-int (imap-alt.suse-dmz.suse.de [192.168.254.47])
        by imap.suse.de (Postfix) with ESMTP id BB4AA118DD;
        Tue,  8 Jun 2021 14:10:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de; s=susede2_rsa;
        t=1623161408; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=VhPo8dfy0xqBD8sGYJWaEov9nrLg7JdQXq4991+PWPY=;
        b=A1J+vmBYmj0iUx39XP3PGnz5p2LG5HxgC1OO/gbmfuIrGjUOS3hGDCR8Xl/N+6kA9nhLOO
        uUj7/UsN21Sr0Yq7PNASXWpN/jcqLlQzRouA2+on2Bm4JWyj/ewmY9VAzGNUcMexFVVpr3
        SapV78epvqreCwY/362Bvh3QCr+Wdm0=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
        s=susede2_ed25519; t=1623161408;
        h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
         mime-version:mime-version:content-type:content-type:
         content-transfer-encoding:content-transfer-encoding:
         in-reply-to:in-reply-to:references:references;
        bh=VhPo8dfy0xqBD8sGYJWaEov9nrLg7JdQXq4991+PWPY=;
        b=Sfb6DVpg99StlMgZN7IhLGwY9pBKyirc1uJjGgznWIY5OgCTBWz2HZLMscv6agVTP3QykH
        TJf1rOLbuyan15AQ==
Received: from director2.suse.de ([192.168.254.72])
        by imap3-int with ESMTPSA
        id tf2TLUB6v2BZAgAALh3uQQ
        (envelope-from <hare@suse.de>); Tue, 08 Jun 2021 14:10:08 +0000
To:     gregkh@linuxfoundation.org
Cc:     christian.brauner@ubuntu.com, containers@lists.linux.dev,
        linux-kernel@vger.kernel.org, lkml@metux.net
References: <YL9liW99Ytf6uBlu@kroah.com>
From:   Hannes Reinecke <hare@suse.de>
Subject: Re: device namespaces
Message-ID: <9157affa-b27a-c0f4-f6ee-def4a991fd4e@suse.de>
Date:   Tue, 8 Jun 2021 16:10:08 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.9.1
MIME-Version: 1.0
In-Reply-To: <YL9liW99Ytf6uBlu@kroah.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jun 08, 2021 Greg-KH wrote:
> On Tue, Jun 08, 2021 at 02:30:50PM +0200, Christian Brauner wrote:
>> On Tue, Jun 08, 2021 at 11:38:16AM +0200, Enrico Weigelt,
>> metux IT consult wrote:
>>> Hello folks,
>>>
>>>
>>> I'm going to implement device namespaces, where containers can get
>>> an entirely different view of the devices in the machine (usually
>>> just a specific subset, but possibly additional virtual devices).
>>>
[ .. ]
>>> Is this a good way to go ? Or what would be a better one ?
>>
>> Ccing Greg. Without adressing specific problems, I should warn you
>> that this idea is not new and the plan is unlikely to go anywhere.
>> Especially not without support from Greg.
>
> Hah, yeah, this is a non-starter.
>
> Enrico, what real problem are you trying to solve by doing this?  And
> have you tried anything with this yet?  We almost never talk about
> "proposals" without seeing real code as it's pointless to discuss
> things when you haven't even proven that it can work.
>
> So let's see code before even talking about this...
>
> And as Christian points out, you can do this today without any kernel
> changes, so to think you need to modify the kernel means that you
> haven't even tried this at all?
>
Curious, I had been looking into this, too.
And I have to side with Greg and Christian that your proposal should
already be possible today (cf device groups, which curiously has a
near-identical interface to what you proposed).
Also, I think that a generic 'device namespace' is too broad a scope;
some subsystems like net already inherited namespace support, and it
turns out to be not exactly trivial to implement.

What I'm looking at, though, is to implement 'block' namespaces, to
restrict access to _new_ block devices to any give namespace.
Case in point: if a container creates a ramdisk it's questionable
whether other containers should even see it. iSCSI devices are a similar
case; when starting iSCSI devices from containers their use should be
restricted to that container.
And that's not only the device node in /dev, but would also entail sysfs
access, which from my understanding is not modified with the current code.

uevent redirection would help here, but from what I've seen it's only
for net devices; feels a bit awkward to have a network namespace to get
uevents for block devices, but then I'll have to test.
And, of course, that also doesn't change the sysfs layout.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@suse.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer