Sandboxing OpenZFS on Linux by Albert Lee
Presented at OpenZFS Developer Summit
Oct '15,
San Francisco, CA
On illumos, *zones* are sandboxed environments encompassing filesystem, network, IPC and other resources, as well as fine-grained resource controls. Zones are backed by a persistent configuration store. All system calls can take advantage of zone awareness to isolate resources and process privileges. A list of ZFS datasets can be *delegated* to a zone, which makes them visible to processes inside the zone and allows administrative operations on the datasets and their children.
The Linux kernel is different in that there is no first-order object corresponding a specific virtual environment. Instead, Linux provides a set of primitives for resource isolation and control. Each process is associated with a list of *namespaces*, each of which isolates a specific type of resource, such as mountpoints and network interfaces. Processes are also bound to *cgroups*, or control groups, which form a heirarchy for each available resource control. Native *container* frameworks on Linux work by composing sets of namespaces and cgroups and creating processes using them.
We are building a container platform based on Linux and OpenZFS, and one functionality gap we're addressing is to provide ZFS delegation to processes running inside Linux containers. We introduce a *dataset namespace*, which functions as an analogue of a zone identifier. In the Solaris Porting Layer (SPL) portion of ZFS on Linux, we added zone interfaces and associate zone objects with dataset namespaces. This allows many of the existing zone paths in ZFS to be reused. Since the namespace infrastructure has no persistence, new entry points have to be added to manage the list of datasets when a new namespace is created.