Devices Namespace

Registered by Serge Hallyn

Rationale:

Devices in linux currently exist in a single namespace. A (type:major:minor)
refers to the same device for every process. More importantly, requests for
uevents from the kernel are sent for all devices to all listeners. When a
container does udevadm trigger --action=add, add uevents for all hardware are
resent to the host and all other listeners (containers).

Currently the devices namespace can be used to restrict access from containers
to (type:major:minor). If apparmor is given the ability to filter netlink
traffic, containers could be prevented from doing udevadm trigger.

Ideally we would be able to create a new mapping from (type:major:minor) to
kernel devices for containers. When in a new private mapping (== namespace),
udevadm trigger would be restricted to mapped devices. Some devices such
as /dev/null and /dev/zero could be shared among mappings. Others, such
as /dev/loop* may want more flexible mappings. When combined with the
user namespace, this would mean that whereas b 7:0 would be /dev/loop0 on
the host, the container could have b 7:0 point to a different loop device,
owned by his own user namespace and perhaps mapped to a different
(type:major:minor) on the host (or not mapped there at all).

The work in this cycle is to come up with a design for devices namespaces.

Blueprint information

Status:
Started
Approver:
Dave Walker
Priority:
Medium
Drafter:
Ubuntu Server
Direction:
Approved
Assignee:
Serge Hallyn
Definition:
Approved
Series goal:
Accepted for quantal
Implementation:
Needs Infrastructure
Milestone target:
None
Started by
Serge Hallyn

Related branches

Sprints

Whiteboard

User Stories:

Karl runs some containers on his host. He doesn't want the sound card volume
being reset every time a container starts.

Joy wants 30 containers to each have access to one loop device, without any
risk of them writing to each other's, or the host's, loop devices.

Assumptions:

The right folks can get together to plan devicens. Upstream is amenable to
the resulting design, or has constructive criticism.

Note: this has been postponed for hopefully only one cycle. It would be better to
push on finishing user namespaces in upstream kernel.

Release notes:

N/A (this work is preliminary, and hopefully targeted for completion in
14.04).

Note: upstream kernel is not ready to discuss device namespaces yet (5/16/2013)

(?)

Work Items

Work items:
[serge-hallyn] Arrange (and remotely participate in) device ns design discussion at plumbers, involving ebiederm and stgraber: POSTPONED
[stgraber] Discuss device ns design at plumber's: POSTPONED
[serge-hallyn] Bring the result up on linux-kernel or blog: POSTPONED

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.