Devices Namespace

Registered by Serge Hallyn


Devices in linux currently exist in a single namespace. A (type:major:minor)
refers to the same device for every process. More importantly, requests for
uevents from the kernel are sent for all devices to all listeners. When a
container does udevadm trigger --action=add, add uevents for all hardware are
resent to the host and all other listeners (containers).

Currently the devices namespace can be used to restrict access from containers
to (type:major:minor). If apparmor is given the ability to filter netlink
traffic, containers could be prevented from doing udevadm trigger.

Ideally we would be able to create a new mapping from (type:major:minor) to
kernel devices for containers. When in a new private mapping (== namespace),
udevadm trigger would be restricted to mapped devices. Some devices such
as /dev/null and /dev/zero could be shared among mappings. Others, such
as /dev/loop* may want more flexible mappings. When combined with the
user namespace, this would mean that whereas b 7:0 would be /dev/loop0 on
the host, the container could have b 7:0 point to a different loop device,
owned by his own user namespace and perhaps mapped to a different
(type:major:minor) on the host (or not mapped there at all).

The work in this cycle is to come up with a design for devices namespaces.

Blueprint information

Dave Walker
Ubuntu Server
Serge Hallyn
Series goal:
Accepted for quantal
Needs Infrastructure
Milestone target:
Started by
Serge Hallyn

Related branches



User Stories:

Karl runs some containers on his host. He doesn't want the sound card volume
being reset every time a container starts.

Joy wants 30 containers to each have access to one loop device, without any
risk of them writing to each other's, or the host's, loop devices.


The right folks can get together to plan devicens. Upstream is amenable to
the resulting design, or has constructive criticism.

Note: this has been postponed for hopefully only one cycle. It would be better to
push on finishing user namespaces in upstream kernel.

Release notes:

N/A (this work is preliminary, and hopefully targeted for completion in

Note: upstream kernel is not ready to discuss device namespaces yet (5/16/2013)


Work Items

Work items:
[serge-hallyn] Arrange (and remotely participate in) device ns design discussion at plumbers, involving ebiederm and stgraber: POSTPONED
[stgraber] Discuss device ns design at plumber's: POSTPONED
[serge-hallyn] Bring the result up on linux-kernel or blog: POSTPONED

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.