Re: [RFC] Fast-user-switching plans
- From: Graham Lyon <graham lyon gmail com>
- To: Martijn Lievaart <m rtij nl>
- Cc: Marc Herbert <Marc Herbert gmail com>, networkmanager-list gnome org
- Subject: Re: [RFC] Fast-user-switching plans
- Date: Fri, 28 May 2010 18:13:54 +0100
Now I'm no expert on this particular area but I recall that there are now several ways to break a system up into "containers" [1] which is often used to do things like virtualisation. However, would it be possible to utilize the network "namespace" component [2] in order to break off a user's mobile broadband connection into a namespace that only their processes have access to? I'm just bringing this up because maybe the technology to do what everyone seems to agree "should" be possible already is in the kernel.
Like I said, I'm no expert but I think I'll read into it out of curiosity... just wanted to throw it out there for anyone else who might be curious about looking down this path...
-Graham
[2]
http://lxc.sourceforge.net/network.php
On 28 May 2010 17:23, Martijn Lievaart
<m rtij nl> wrote:
On 05/28/2010 03:46 PM, Marc Herbert wrote:
Le 28/05/2010 09:16, Simon Geard a écrit :
Simply because IP is not designed like this at all. NetworkManager's
scope is make IP networking easy; not to re-invent the Internet.
Actually, couldn't something be done with Netfilter rules? The
connection (a VPN, say) might technically be system-wide, but with rules
enforcing that only applications running as a certain user could send
and receive packets on it? Perhaps imperfect, but a starting point...
Sockets have owners, but I doubt very much you can extend that to
packets. The "end-to-end principle" strikes again. So this rules out
Netfilter I am afraid.
Netfilter has an owner match, which does extend the owner to packets, more or less. However, you would als have to consider routing. This also looks possible with tc rules matching on the same netfilter match. However I suspect this will never work satisfactorily, IP was just never designed to do things like this.
I do think that we will move in this general direction, but with a more light-VM-per-user like aproach, where every user has it's own view of the filesystem, it's own networking "view" etc. In other words, I suspect this is much bigger than can be handled now.
HTH,
M4
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]