Devices Namespace
Rationale:
Devices in linux currently exist in a single namespace. A (type:major:minor)
refers to the same device for every process. More importantly, requests for
uevents from the kernel are sent for all devices to all listeners. When a
container does udevadm trigger --action=add, add uevents for all hardware are
resent to the host and all other listeners (containers).
Currently the devices namespace can be used to restrict access from containers
to (type:major:minor). If apparmor is given the ability to filter netlink
traffic, containers could be prevented from doing udevadm trigger.
Ideally we would be able to create a new mapping from (type:major:minor) to
kernel devices for containers. When in a new private mapping (== namespace),
udevadm trigger would be restricted to mapped devices. Some devices such
as /dev/null and /dev/zero could be shared among mappings. Others, such
as /dev/loop* may want more flexible mappings. When combined with the
user namespace, this would mean that whereas b 7:0 would be /dev/loop0 on
the host, the container could have b 7:0 point to a different loop device,
owned by his own user namespace and perhaps mapped to a different
(type:major:minor) on the host (or not mapped there at all).
The work in this cycle is to come up with a design for devices namespaces.
Blueprint information
- Status:
- Started
- Approver:
- Dave Walker
- Priority:
- Medium
- Drafter:
- Ubuntu Server
- Direction:
- Approved
- Assignee:
- Serge Hallyn
- Definition:
- Approved
- Series goal:
- Accepted for quantal
- Implementation:
-
Needs Infrastructure
- Milestone target:
- None
- Started by
- Serge Hallyn
- Completed by
Whiteboard
User Stories:
Karl runs some containers on his host. He doesn't want the sound card volume
being reset every time a container starts.
Joy wants 30 containers to each have access to one loop device, without any
risk of them writing to each other's, or the host's, loop devices.
Assumptions:
The right folks can get together to plan devicens. Upstream is amenable to
the resulting design, or has constructive criticism.
Note: this has been postponed for hopefully only one cycle. It would be better to
push on finishing user namespaces in upstream kernel.
Release notes:
N/A (this work is preliminary, and hopefully targeted for completion in
14.04).
Note: upstream kernel is not ready to discuss device namespaces yet (5/16/2013)
Work Items
Work items:
[serge-hallyn] Arrange (and remotely participate in) device ns design discussion at plumbers, involving ebiederm and stgraber: POSTPONED
[stgraber] Discuss device ns design at plumber's: POSTPONED
[serge-hallyn] Bring the result up on linux-kernel or blog: POSTPONED
Dependency tree
* Blueprints in grey have been implemented.
