[fbsd] Re: jail extensions
Brooks Davis
brooks at one-eyed-alien.net
Fri Jul 14 23:25:21 UTC 2006
On Fri, Jul 14, 2006 at 01:44:26PM -0700, Julian Elischer wrote:
> Brooks Davis wrote:
>
> >On Fri, Jul 14, 2006 at 12:03:33PM +0200, Jeremie Le Hen wrote:
> >
> >>On Thu, Jun 08, 2006 at 12:32:42PM +0100, Robert Watson wrote:
> >>
> >>>On Wed, 7 Jun 2006, Brooks Davis wrote:
> >>>
> >>>>It's not clear to me that we want to use the same containers to control
> >>>>all resouces since you might want a set of jails sharing IPC resources
> >>>>or being allocated a slice of processor time to divide amongst them
> >>>>selves if we had a hierarchical scheduler. That said, using a single
> >>>>prison structure could do this if we allowed the administrator to
> >>>>specifiy a hierarchy of prisons and not necessicairly enclose all
> >>>>resources in all prisons.
> >>>>
> >>>When looking at improved virtualization support for things like System V
> >>>IPC, my opinion has generally been that we introduce virtualization as a
> >>>primitive, and then have jail use the primitive much in the same way it
> >>>does chroot. This leaves flexibility to use it without jail, etc, but
> >>>means we have a well-understood and well-defined interaction with jail.
> >>>
> >>IMHO, it is worth having virtualization primitives wherever it is
> >>required and make jails use them. This can be the case for the
> >>System V IPC as well as for the network stack (think of Marko's work).
> >>
> >>My point is that the usability of virtual network stacks remains
> >>interesting outside the jail framework and should be able to be managed
> >>from its own userland tool (though the latter should probably not be
> >>able to destroy a virtual network stack associated with a jail).
> >>However I don't think that IPC are worth virtualizing outside a
> >>jail framework.
> >>
> >>
> >
> >I could definitly use the ability to virtualize IPC inside a lighter
> >container then a jail. I'd like to be able to tie them to jobs in a
> >batch system managed by Sun Grid Engine so I can constrain resources on
> >a per-job basis and insure the no IPC objects outlive the job.
> >
> I think that the term "jail" needs to be replaced by something else in
> this context..
> maybe a "virtual context".. virtual contexts would have the option of
> virtualising
> different parts of the system.
> for example they would have the option of whether or not to have a
> chroot, or their own
> networking stack, or their own process space..
This sounds good to me if we could do it in a way that performed
decently.
-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20060714/dc7fece7/attachment.pgp
More information about the freebsd-arch
mailing list