Date: Fri, 14 Jul 2006 18:25:04 -0500 From: Brooks Davis <brooks@one-eyed-alien.net> To: Julian Elischer <julian@elischer.org> Cc: Robert Watson <rwatson@freebsd.org>, Alex Lyashkov <shadow@psoft.net>, Jeremie Le Hen <jeremie@le-hen.org>, freebsd-arch@freebsd.org Subject: Re: [fbsd] Re: jail extensions Message-ID: <20060714232504.GA79925@lor.one-eyed-alien.net> In-Reply-To: <44B8022A.60104@elischer.org> References: <1149610678.4074.42.camel@berloga.shadowland> <448633F2.7030902@elischer.org> <20060607095824.W53690@fledge.watson.org> <200606070819.04301.jhb@freebsd.org> <20060607160850.GB18940@odin.ac.hmc.edu> <20060608123125.W26068@fledge.watson.org> <20060714100333.GE3466@obiwan.tataz.chchile.org> <20060714162154.GA75657@lor.one-eyed-alien.net> <44B8022A.60104@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--PEIAKu/WMn1b1Hv9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 14, 2006 at 01:44:26PM -0700, Julian Elischer wrote: > Brooks Davis wrote: >=20 > >On Fri, Jul 14, 2006 at 12:03:33PM +0200, Jeremie Le Hen wrote: > >=20 > >>On Thu, Jun 08, 2006 at 12:32:42PM +0100, Robert Watson wrote: > >> =20 > >>>On Wed, 7 Jun 2006, Brooks Davis wrote: > >>> > >>>>It's not clear to me that we want to use the same containers to contr= ol=20 > >>>>all resouces since you might want a set of jails sharing IPC resource= s=20 > >>>>or being allocated a slice of processor time to divide amongst them= =20 > >>>>selves if we had a hierarchical scheduler. That said, using a single= =20 > >>>>prison structure could do this if we allowed the administrator to=20 > >>>>specifiy a hierarchy of prisons and not necessicairly enclose all=20 > >>>>resources in all prisons. > >>>> =20 > >>>When looking at improved virtualization support for things like System= V=20 > >>>IPC, my opinion has generally been that we introduce virtualization as= a=20 > >>>primitive, and then have jail use the primitive much in the same way i= t=20 > >>>does chroot. This leaves flexibility to use it without jail, etc, but= =20 > >>>means we have a well-understood and well-defined interaction with jail. > >>> =20 > >>IMHO, it is worth having virtualization primitives wherever it is > >>required and make jails use them. This can be the case for the > >>System V IPC as well as for the network stack (think of Marko's work). > >> > >>My point is that the usability of virtual network stacks remains > >>interesting outside the jail framework and should be able to be managed > >>from its own userland tool (though the latter should probably not be > >>able to destroy a virtual network stack associated with a jail). > >>However I don't think that IPC are worth virtualizing outside a > >>jail framework. > >> =20 > >> > > > >I could definitly use the ability to virtualize IPC inside a lighter > >container then a jail. I'd like to be able to tie them to jobs in a > >batch system managed by Sun Grid Engine so I can constrain resources on > >a per-job basis and insure the no IPC objects outlive the job. > > > I think that the term "jail" needs to be replaced by something else in=20 > this context.. > maybe a "virtual context".. virtual contexts would have the option of=20 > virtualising > different parts of the system. > for example they would have the option of whether or not to have a=20 > chroot, or their own > networking stack, or their own process space.. This sounds good to me if we could do it in a way that performed decently. -- Brooks --PEIAKu/WMn1b1Hv9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFEuCfQXY6L6fI4GtQRAiHkAKCivKSr+Y3kZriX8bIHNsC1nNAFVgCdEvYs Dw6DWwJTJtiucNu0Rc6FJno= =phPD -----END PGP SIGNATURE----- --PEIAKu/WMn1b1Hv9--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060714232504.GA79925>