One outcome of my taking on kernel work might be gaining enough experience to redo it right. :-)
Well userns was implemented totally wrong, as direct remapping rather than a layer in between...
-
-
In principle you could disable it and do secure containers fully with ptrace+seccomp, I think...
-
Problem is OS containers. They want to be able to boot a fully functional OS without privileges...
-
So they've ended up exposing a huge amount of functionality previously accessible only to root.
-
The problem is that they exposed it rather than virtualizing it. Latter should be possible w/seccomp
-
An example is that containers have access to all of netfilter for setting up their own firewall rules.
-
Totally understand what you mean. I'm saying their access should be only to a virtual netfilter...
-
...running in userspace as the uid that created the container with no special access to real kernel.
-
Virtual machines would end up being faster. Really hoping that https://lwn.net/Articles/644675/ … is a success.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.