[fbsd] Re: jail extensions
Jeremie Le Hen
jeremie at le-hen.org
Fri Jul 14 10:03:07 UTC 2006
Hi,
On Thu, Jun 08, 2006 at 12:32:42PM +0100, Robert Watson wrote:
> On Wed, 7 Jun 2006, Brooks Davis wrote:
>
> >It's not clear to me that we want to use the same containers to control
> >all resouces since you might want a set of jails sharing IPC resources or
> >being allocated a slice of processor time to divide amongst them selves if
> >we had a hierarchical scheduler. That said, using a single prison
> >structure could do this if we allowed the administrator to specifiy a
> >hierarchy of prisons and not necessicairly enclose all resources in all
> >prisons.
>
> When looking at improved virtualization support for things like System V
> IPC, my opinion has generally been that we introduce virtualization as a
> primitive, and then have jail use the primitive much in the same way it
> does chroot. This leaves flexibility to use it without jail, etc, but means
> we have a well-understood and well-defined interaction with jail.
IMHO, it is worth having virtualization primitives wherever it is
required and make jails use them. This can be the case for the
System V IPC as well as for the network stack (think of Marko's work).
My point is that the usability of virtual network stacks remains
interesting outside the jail framework and should be able to be managed
from its own userland tool (though the latter should probably not be
able to destroy a virtual network stack associated with a jail).
However I don't think that IPC are worth virtualizing outside a
jail framework.
My two cents.
Best regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-arch
mailing list