config VSERVER_LEGACY
bool "Enable Legacy Kernel API"
+ depends on EXPERIMENTAL
+ default n
+ help
+ This enables the legacy API used in vs1.xx, maintaining
+ compatibility with older vserver tools, and guest images
+ that are configured using the legacy method.
+
+config VSERVER_LEGACY_VERSION
+ bool "Show a Legacy Version ID"
+ depends on VSERVER_LEGACY
+ default n
+ help
+ This shows a special legacy version to very old tools
+ which do not handle the current version correctly.
+
+ Warning: recent tools are not able to utilize the
+ newer APIs when this is enabled, so some features will
+ not be available. Better avoid it, unless you really,
+ really need it for backwards compatibility.
+
+config VSERVER_DYNAMIC_IDS
+ bool "Enable dynamic context IDs"
+ depends on EXPERIMENTAL && VSERVER_LEGACY
+ default n
+ help
+ This enables support of in kernel dynamic context IDs,
+ which is deprecated and will probably be removed in the
+ next release.
+
+config VSERVER_LEGACYNET
+ bool "Enable Legacy Networking Kernel API"
+ depends on EXPERIMENTAL
+ default n
+ help
+ This enables the legacy networking API which is used
+ by older tools (pre 0.30.210) to set up the network
+ context (chbind).
+
+config VSERVER_REMAP_SADDR
+ bool "Remap Source IP Address"
+ depends on EXPERIMENTAL
+ default n
+ help
+ This allows to remap the source IP address of 'local'
+ connections from 127.0.0.1 to the first assigned
+ guest IP.
+
+config VSERVER_COWBL
+ bool "Enable COW Immutable Link Breaking"
default y
help
- This enables the legacy API used in vs1.xx, which allows
- to use older tools (for migration purposes).
+ This enables the COW (Copy-On-Write) link break code.
+ It allows you to treat unified files like normal files
+ when writing to them (which will implicitely break the
+ link and create a copy of the unified file)
+
+config VSERVER_VTIME
+ bool "Enable Virtualized Guest Time"
+ depends on EXPERIMENTAL
+ default n
+ help
+ This enables per guest time offsets to allow for
+ adjusting the system clock individually per guest.
+ this adds some overhead to the time functions and
+ therefore should not be enabled without good reason.
config VSERVER_PROC_SECURE
bool "Enable Proc Security"
depends on PROC_FS
default y
help
- Hide proc entries by default for xid>1
+ This configures ProcFS security to initially hide
+ non-process entries for all contexts except the main and
+ spectator context (i.e. for all guests), which is a secure
+ default.
+
+ (note: on 1.2x the entries were visible by default)
config VSERVER_HARDCPU
bool "Enable Hard CPU Limits"
- depends on EXPERIMENTAL
- default n
+ default y
help
Activate the Hard CPU Limits
-config VSERVER_HARDCPU_IDLE
+ This will compile in code that allows the Token Bucket
+ Scheduler to put processes on hold when a context's
+ tokens are depleted (provided that its per-context
+ sched_hard flag is set).
+
+ Processes belonging to that context will not be able
+ to consume CPU resources again until a per-context
+ configured minimum of tokens has been reached.
+
+config VSERVER_IDLETIME
+ bool "Avoid idle CPUs by skipping Time"
+ depends on VSERVER_HARDCPU
+ default y
+ help
+ This option allows the scheduler to artificially
+ advance time (per cpu) when otherwise the idle
+ task would be scheduled, thus keeping the cpu
+ busy and sharing the available resources among
+ certain contexts.
+
+config VSERVER_IDLELIMIT
bool "Limit the IDLE task"
depends on VSERVER_HARDCPU
default n
help
Limit the idle slices, so the the next context
will be scheduled as soon as possible.
- might improve interactivity/latency but
- increases scheduling overhead.
+
+ This might improve interactivity and latency, but
+ will also marginally increase scheduling overhead.
choice
- prompt "Persistent Inode Context Tagging"
- default INOXID_UGID24
+ prompt "Persistent Inode Tagging"
+ default TAGGING_ID24
help
This adds persistent context information to filesystems
mounted with the tagxid option. Tagging is a requirement
- for per context disk limits and per context quota.
+ for per-context disk limits and per-context quota.
-config INOXID_NONE
+config TAGGING_NONE
bool "Disabled"
help
- no context information is store for inodes
+ do not store per-context information in inodes.
-config INOXID_UID16
+config TAGGING_UID16
bool "UID16/GID32"
help
reduces UID to 16 bit, but leaves GID at 32 bit.
-config INOXID_GID16
+config TAGGING_GID16
bool "UID32/GID16"
help
reduces GID to 16 bit, but leaves UID at 32 bit.
-config INOXID_UGID24
+config TAGGING_ID24
bool "UID24/GID24"
help
uses the upper 8bit from UID and GID for XID tagging
which leaves 24bit for UID/GID each, which should be
more than sufficient for normal use.
-config INOXID_INTERN
+config TAGGING_INTERN
bool "UID32/GID32"
help
this uses otherwise reserved inode fields in the on
disk representation, which limits the use to a few
filesystems (currently ext2 and ext3)
-config INOXID_RUNTIME
- bool "Runtime"
+endchoice
+
+config TAG_NFSD
+ bool "Tag NFSD User Auth and Files"
+ default n
+ help
+ Enable this if you do want the in-kernel NFS
+ Server to use the tagging specified above.
+ (will require patched clients too)
+
+config PROPAGATE
+ bool "Enable Inode Tag Propagation"
+ default n
depends on EXPERIMENTAL
help
- inodes are tagged when first accessed, this doesn't
- require any persistant information, but might give
- funny results for mixed access.
+ This allows for the tagid= mount option to specify
+ a tagid which is to be used for the entire mount
+ tree.
-endchoice
+config VSERVER_PRIVACY
+ bool "Honor Privacy Aspects of Guests"
+ default y
+ help
+ When enabled, most context checks will disallow
+ access to structures assigned to a specific context,
+ like ptys or loop devices.
+
+config VSERVER_CONTEXTS
+ int "Maximum number of Contexts (1-65533)" if EMBEDDED
+ range 1 65533
+ default "768" if 64BIT
+ default "256"
+ help
+ This setting will optimize certain data structures
+ and memory allocations according to the expected
+ maximum.
+
+ note: this is not a strict upper limit.
+
+config VSERVER_WARN
+ bool "VServer Warnings"
+ default y
+ help
+ This enables various runtime warnings, which will
+ notify about potential manipulation attempts or
+ resource shortage. It is generally considered to
+ be a good idea to have that enabled.
config VSERVER_DEBUG
- bool "Compile Debugging Code"
+ bool "VServer Debugging Code"
default n
help
Set this to yes if you want to be able to activate
- debugging output at runtime. It adds a probably small
- overhead (~ ??%) to all vserver related functions and
+ debugging output at runtime. It adds a very small
+ overhead to all vserver related functions and
increases the kernel size by about 20k.
+config VSERVER_HISTORY
+ bool "VServer History Tracing"
+ depends on VSERVER_DEBUG
+ default n
+ help
+ Set this to yes if you want to record the history of
+ linux-vserver activities, so they can be replayed in
+ the event of a kernel panic or oops.
+
+config VSERVER_HISTORY_SIZE
+ int "Per-CPU History Size (32-65536)"
+ depends on VSERVER_HISTORY
+ range 32 65536
+ default 64
+ help
+ This allows you to specify the number of entries in
+ the per-CPU history buffer.
+
+config VSERVER_MONITOR
+ bool "VServer Scheduling Monitor"
+ depends on VSERVER_DEBUG
+ default n
+ help
+ Set this to yes if you want to record the scheduling
+ decisions, so that they can be relayed to userspace
+ for detailed analysis.
+
+config VSERVER_MONITOR_SIZE
+ int "Per-CPU Monitor Queue Size (32-65536)"
+ depends on VSERVER_MONITOR
+ range 32 65536
+ default 1024
+ help
+ This allows you to specify the number of entries in
+ the per-CPU scheduling monitor buffer.
+
+config VSERVER_MONITOR_SYNC
+ int "Per-CPU Monitor Sync Interval (0-65536)"
+ depends on VSERVER_MONITOR
+ range 0 65536
+ default 256
+ help
+ This allows you to specify the interval in ticks
+ when a time sync entry is inserted.
+
endmenu
+
+config VSERVER
+ bool
+ default y
+ select UTS_NS
+ select SYSVIPC
+ select IPC_NS
+
+config VSERVER_SECURITY
+ bool
+ depends on SECURITY
+ default y
+ select SECURITY_CAPABILITIES
+
+config VSERVER_NGNET
+ bool
+ depends on EXPERIMENTAL && !VSERVER_LEGACYNET
+ default y
+
git://git.onelab.eu / linux-2.6.git / blobdiff