Linked by Thom Holwerda on Thu 8th Nov 2007 17:25 UTC, submitted by inkslinger77
"Faster than virtualization, but harder to implement, containers are a promising security technology for Linux. Watch the 2.6.24 kernel for experimental support for creating and managing containers."
Permalink for comment 283734
To read all comments associated with this story, please click here.
To read all comments associated with this story, please click here.
Member since:
2005-07-08
Yes, the goal for this work is an OS-level virtualization solution similar to Zones and OpenVZ/Virtuozzo. The namespaces referred to in the article aren't per-process as with Plan9 but rather per-container. Or per-subsystem, per-container.
In any case, Linux has had per-process namespace capabilities since the 2.5.x series, courtesy of Al Viro. Kernel developers think they're cool, but userspace developers haven't really done anything with them. Union mounts (mounting multiple filesystems at the same mount point) seem more useful, and I believe the work there is still ongoing. The Glick application bundle solution uses a really neat FUSE trick to create process-private filesystems in userspace.
The container solution seems to be coming along nicely and on schedule. This is the sort of thing that shouldn't be rushed. It's easy for stuff like this to make a horrible mess of the kernel that developers will be stuck with for years. That's why it's important for out-of-tree projects like OpenVZ to make a mess of things so that we can step back, generate some lessons-learned, and figure out how to do this nicely. In the meantime, we already have a commercially-viable OS-virtualization solution that tracks the mainline fairly closely.