LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Pavel Emelyanov <xemul@openvz.org>
Cc: Nick Andrew <nick@nick-andrew.net>,
	trivial@kernel.org, linux-kernel@vger.kernel.org,
	Serge Hallyn <serue@us.ibm.com>
Subject: Re: Improve init/Kconfig help descriptions [PATCH 3/9]
Date: Tue, 19 Feb 2008 09:50:07 -0600	[thread overview]
Message-ID: <20080219155007.GA19362@sergelap.austin.ibm.com> (raw)
In-Reply-To: <47BAF2E5.8050001@openvz.org>

Quoting Pavel Emelyanov (xemul@openvz.org):
> Nick Andrew wrote:
> > On Tue, Feb 19, 2008 at 05:42:07PM +0300, Pavel Emelyanov wrote:
> >> Nick Andrew wrote:
> >>> On Wed, Feb 20, 2008 at 01:06:09AM +1100, Nick Andrew wrote:
> >>>> Here is a series of 9 patches to init/Kconfig intended to improve the
> >>>> usefulness and consistency of the help descriptions. The patches are
> >>>> against linux-2.6.24.2.
> >>>> [...]
> >>>> Patch 3
> >>>> 	USER_NS
> >>>> 	PID_NS
> >> What about UTS_NS, IPC_NS and NET_NS? 
> >> Their descriptions can be improved in the same way :)
> > 
> > So far I have edited only init/Kconfig, that's what these 9
> > patches are for. Next I'll do block/Kconfig. Eventually I expect
> > to get to net/Kconfig which is where NET_NS is configured,
> > but I don't know where UTS_NS and IPC_NS come from in 2.6.24.2.
> > 
> > I expect I'll have to start patching against a git tree soon,
> > to be sure to see the latest code. I assume this should be
> > Linus' tree?
> 
> Both UTS_NS and IPC_NS are in init/Kconfg. At least they are
> in 2.6.25-rc2 :)
> 
> > Is there any actual documentation on user namespaces and friends?
> 
> Hardly :(
> 
> > I think I grasp the pid namespaces concept; I am having a little
> > difficulty visualising what function user namespaces performs.
> > "provide different user info" isn't a very useful description and
> > I'd fix it if I understood what it is supposed to mean.
> 
> The pid namespaces are described here: http://lwn.net/Articles/259217/
> 
> > To make a guess at it, how about:
> > 
> >    Enable support for user namespaces.
> > 
> >    This is a function used by container-based virtualisation systems
> >    (e.g. vservers). User namespaces ensures that processes with the
> >    same uid which are in different containers are isolated from each other.
> > 
> >    Answer Y if you require container-based virtualisation like
> >    vservers. If unsure, say N.
> 
> You'd better talk to Serge Hallyn (in Cc) about them. He had some
> thoughts on how to complete them :)

That describes the final intent for user namespaces.  Currently all they
do is provide for separate accounting for the same uid in different user
namespaces.  To provide actual isolation/security, you would currently
want to use an LSM.  I'm currently playing with some selinux policy
infrastructure to make that easier.

So as for the description, for now it should probably read something
like:

    Enable experimental support for user namespaces.
 
    This is a function used by container-based virtualisation systems
    (e.g. vservers). User namespaces are intended to ensure that
    processes with the same uid which are in different containers are
    isolated from each other.

    Currently user namespaces provide separate accounting, while
    isolation must be provided using SELinux or a custom security
    module.
 
    Answer Y if you require container-based virtualisation like
    vservers. If unsure, say N.

> 
> > Nick.

thanks,
-serge

  reply	other threads:[~2008-02-19 15:50 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-19 14:06 Improve init/Kconfig help descriptions [PATCH 0/9] Nick Andrew
2008-02-19 14:09 ` Improve init/Kconfig help descriptions [PATCH 1/9] Nick Andrew
2008-02-19 14:11 ` Improve init/Kconfig help descriptions [PATCH 2/9] Nick Andrew
2008-02-19 14:33 ` Improve init/Kconfig help descriptions [PATCH 3/9] Nick Andrew
2008-02-19 14:42   ` Pavel Emelyanov
2008-02-19 15:10     ` Nick Andrew
2008-02-19 15:16       ` Pavel Emelyanov
2008-02-19 15:50         ` Serge E. Hallyn [this message]
2008-02-19 16:44         ` Randy Dunlap
2008-02-19 22:41           ` Nick Andrew
2008-02-20 12:19           ` [PATCH 2.6.25-rc2 3/9] config: Improve init/Kconfig help descriptions - namespaces Nick Andrew
2008-02-20 12:23             ` Pavel Emelyanov
2008-02-20 13:01               ` Nick Andrew
2008-02-20 13:07                 ` Pavel Emelyanov
2008-02-20 16:50             ` serge
2008-02-20 23:10               ` Nick Andrew
2008-02-19 14:38 ` Improve init/Kconfig help descriptions [PATCH 4/9] Nick Andrew
2008-02-20  3:42   ` Valdis.Kletnieks
2008-02-20 22:17     ` Nick Andrew
2008-02-19 14:53 ` Improve init/Kconfig help descriptions [PATCH 5/9] Nick Andrew
2008-02-19 20:17   ` Randy Dunlap
2008-02-19 15:12 ` Improve init/Kconfig help descriptions [PATCH 6/9] Nick Andrew
2008-02-19 15:39   ` Paul Jackson
2008-02-20 12:41     ` Nick Andrew
2008-02-20 16:43       ` Paul Jackson
2008-02-20  2:04   ` Paul Menage
2008-02-20  2:54     ` Nick Andrew
2008-02-20  3:12       ` Paul Menage
2008-02-20 16:55       ` serge
2008-02-20 21:31         ` Nick Andrew
2008-02-19 15:15 ` Improve init/Kconfig help descriptions [PATCH 7/9] Nick Andrew
2008-02-19 15:21 ` Improve init/Kconfig help descriptions [PATCH 8/9] Nick Andrew
2008-02-19 15:27 ` Improve init/Kconfig help descriptions [PATCH 9/9] Nick Andrew
2008-02-20 22:33 ` [PATCH 2.6.25-rc2 1/9] init: Improve init/Kconfig help descriptions part 1 Nick Andrew
     [not found] ` <200802220014.m1M0Dh5r022354@rgminet03.oracle.com>
2008-02-22  0:19   ` [PATCH 2.6.25-rc2 5/9] Kconfig: Improve init/Kconfig help descriptions - IKCONFIG etc Randy Dunlap
2008-02-22  0:48 ` [PATCH 2.6.25-rc2 1/9] Kconfig: Improve init/Kconfig help descriptions part 1 Nick Andrew
2008-02-22  0:49 ` [PATCH 2.6.25-rc2 2/9] Kconfig: Improve init/Kconfig help descriptions - TASKSTATS Nick Andrew
2008-02-22  0:51 ` [PATCH 2.6.25-rc2 3/9] Kconfig: Improve init/Kconfig help descriptions - NAMESPACES Nick Andrew
2008-02-27 23:00   ` Nick Andrew
2008-02-27 23:08     ` Serge E. Hallyn
2008-02-22  0:52 ` [PATCH 2.6.25-rc2 4/9] Kconfig: Improve init/Kconfig help descriptions - AUDIT Nick Andrew
2008-02-22  0:54 ` [PATCH 2.6.25-rc2 5/9] Kconfig: Improve init/Kconfig help descriptions - IKCONFIG etc Nick Andrew
2008-02-22  0:55 ` [PATCH 2.6.25-rc2 6/9] Kconfig: Improve init/Kconfig help descriptions - CGROUPS Nick Andrew
2008-02-22  0:56 ` [PATCH 2.6.25-rc2 7/9] Kconfig: Improve init/Kconfig help descriptions - EMBEDDED etc Nick Andrew
2008-02-22  0:58 ` [PATCH 2.6.25-rc2 8/9] Kconfig: Improve init/Kconfig help descriptions - SLAB Nick Andrew
2008-02-22  0:59 ` [PATCH 2.6.25-rc2 9/9] Kconfig: Improve init/Kconfig help descriptions - MODULES Nick Andrew
     [not found] ` <200802220010.m1M0Arr7024044@vzorg.swsoft.net>
2008-02-22  8:14   ` [PATCH 2.6.25-rc2 3/9] Kconfig: Improve init/Kconfig help descriptions - NAMESPACES Pavel Emelyanov
     [not found] ` <200802220010.m1M0Auqn024414@e5.ny.us.ibm.com>
2008-02-22 22:14   ` Serge E. Hallyn
2008-02-23  1:12     ` Nick Andrew
2008-02-23  3:45       ` Serge E. Hallyn

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080219155007.GA19362@sergelap.austin.ibm.com \
    --to=serue@us.ibm.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=nick@nick-andrew.net \
    --cc=trivial@kernel.org \
    --cc=xemul@openvz.org \
    --subject='Re: Improve init/Kconfig help descriptions [PATCH 3/9]' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).