Re: [RFC] [patch 0/6] [Network namespace] introduction
From: Kari Hurtta
Date: Sat Jun 10 2006 - 03:21:41 EST
dlezcano@xxxxxxxxxx writes in gmane.linux.network,gmane.linux.kernel:
> The following patches create a private "network namespace" for use
> within containers. This is intended for use with system containers
> like vserver, but might also be useful for restricting individual
> applications' access to the network stack.
>
> These patches isolate traffic inside the network namespace. The
> network ressources, the incoming and the outgoing packets are
> identified to be related to a namespace.
>
> It hides network resource not contained in the current namespace, but
> still allows administration of the network with normal commands like
> ifconfig.
>
> It applies to the kernel version 2.6.17-rc6-mm1
>
> It provides the following:
> -------------------------
> - when an application unshares its network namespace, it looses its
> view of all network devices by default. The administrator can
> choose to make any devices to become visible again. The container
> then gains a view to the device but without the ip address
> configured on it. It is up to the container administrator to use
> ifconfig or ip command to setup a new ip address. This ip address
> is only visible inside the container.
Do other namespaces work differently ?
When namespace is unshared, it has initially the same resources
(for example compare to CLONE_NEWNS)
> - the loopback is isolated inside the container and it is not
> possible to communicate between containers via the
> loopback.
>
> - several containers can have an application bind to the same
> address:port without conflicting.
That of course be problem, if initially unshared namespace shares
same resources.
/ Kari Hurtta
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/