From: "Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
To: Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org>
Cc: Linux Containers
<containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org>,
kt-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org,
Dietmar Maurer <dietmar-YTcQvvOqK21BDgjK7y7TUQ@public.gmane.org>,
lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
Subject: Re: [lxc-devel] Memory Resources
Date: Mon, 31 Aug 2009 08:40:45 -0500 [thread overview]
Message-ID: <20090831134045.GD4837@us.ibm.com> (raw)
In-Reply-To: <4A97A448.5050506-GANU6spQydw@public.gmane.org>
Quoting Daniel Lezcano (daniel.lezcano-GANU6spQydw@public.gmane.org):
> Krzysztof Taraszka wrote:
> > Okey.
> > I made few tests and this two ways work:
> >
> > First way:
> > =======
> > lxc. smack enabled, policy loaded. cgroup not labeled.
> >
> > a) start container
> > b) mount cgroup inside container
> > c) mount --bind /cgroup/foo/memory.meminfo /proc/meminfo
> > d) secure the /cgroup on the host (ie: attr -S -s SMACK64 -V host /cgroup).
> >
> > this step can be done inside lxc tools ;)
> >
> > Second way:
> > ==========
> > lxc. smack enabled, policy loaded. cgroup not labeled.
> >
> > a) do not label whole /cgrop directory (DO NOT DO: attr -S -s SMACK64 -V
> > host /cgroup). Label dedicate files only (for example: /cgroup/cpuset.cpus,
> > /cgroup/vs1/cpuset.cpus, etc). Do not label the /cgrop/vs1 directory. Label
> > with vs1 label only /cgroup/vs1/memory.meminfo. All other files label with
> > host label to do not allow read them.
> > b) start container
> > c) mount cgroup inside container
> > d) mount --bind /cgroup/foo/memory.meminfo /proc/meminfo
> >
> > steps: b, c, d can be done inside lxc tools. step a can't and it is base on
> > the admin policy.
> >
> > I think that the first solution is more automatic and can be done by lxc
> > tools (maybe command line switch? I can prepare a patch for that.
> >
>
> I do not know smack, what does smack here ? Will this solution avoid the
> container to overwrite /proc/meminfo by remounting /proc ?
Right, in the first way he is labeling the whole cgroupfs with a label
which prevents the container from mounting it. In the second way,
the specific files are labeled.
-serge
next prev parent reply other threads:[~2009-08-31 13:40 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <ac1c4bf20908230513q383fb338ne02e8f19f6ef18a6@mail.gmail.com>
[not found] ` <ac1c4bf20908230513q383fb338ne02e8f19f6ef18a6-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 16:18 ` [lxc-devel] Memory Resources Daniel Lezcano
[not found] ` <4A916BC9.8040905-GANU6spQydw@public.gmane.org>
2009-08-23 16:59 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908230959j4cda58cel3bcf4f3822d50bb1-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 18:00 ` Daniel Lezcano
[not found] ` <4A9183B2.7090005-GANU6spQydw@public.gmane.org>
2009-08-23 18:17 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231117sb180e78q3eed64db3573ec35-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 18:38 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231138j2ce7bb48v69a8ac8ede6bc314-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 19:22 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231222t182e6ca6u716b98e13d85cbad-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 20:05 ` Daniel Lezcano
[not found] ` <4A91A103.6020207-GANU6spQydw@public.gmane.org>
2009-08-23 20:18 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231318v1586c2ciffd3df5fe1b70c20-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-23 21:00 ` Daniel Lezcano
[not found] ` <4A91ADE1.9090204-GANU6spQydw@public.gmane.org>
2009-08-23 21:12 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908231412m634fdf9h686f6bd24eb95a14-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 0:27 ` KAMEZAWA Hiroyuki
[not found] ` <20090824092739.70d56a5b.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-24 0:40 ` Krzysztof Taraszka
2009-08-24 6:17 ` [Devel] " Dietmar Maurer
[not found] ` <90D306BE6EBC8D428A824FBBA7A3113DE076E221-jRgWbcutxcWenyD9vqZGNUEOCMrvLtNR@public.gmane.org>
2009-08-24 6:58 ` KAMEZAWA Hiroyuki
[not found] ` <20090824155835.94f6b88f.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-24 7:17 ` Balbir Singh
[not found] ` <20090824071757.GQ29572-SINUvgVNF2CyUtPGxGje5AC/G2K4zDHf@public.gmane.org>
2009-08-24 7:18 ` KAMEZAWA Hiroyuki
[not found] ` <20090824161825.c40a85a2.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-25 9:46 ` Balbir Singh
2009-08-24 0:48 ` Krzysztof Taraszka
2009-08-24 0:58 ` Krzysztof Taraszka
[not found] ` <4A924D11.80002@free.fr>
[not found] ` <ac1c4bf20908240125q1e126cdq2d2b7659ca167d52@mail.gmail.com>
[not found] ` <4A924F5C.1000208@fr.ibm.com>
[not found] ` <ac1c4bf20908240138l67cfabfcid2bb7224a1f6ab24@mail.gmail.com>
[not found] ` <4A925794.7050808@free.fr>
[not found] ` <ac1c4bf20908240245ydbc1b9bxacfcf2398049505c@mail.gmail.com>
[not found] ` <4A92676A.1080609@free.fr>
[not found] ` <4A92676A.1080609-GANU6spQydw@public.gmane.org>
2009-08-24 10:58 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240327u424bd021t8848cf1cafb24ada@mail.gmail.com>
[not found] ` <ac1c4bf20908240327u424bd021t8848cf1cafb24ada-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 11:13 ` Daniel Lezcano
[not found] ` <4A9275CB.7030108-GANU6spQydw@public.gmane.org>
2009-08-24 11:31 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240431p1fda5a15qd26629618397696-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 14:11 ` Daniel Lezcano
[not found] ` <4A929F83.80207-GANU6spQydw@public.gmane.org>
2009-08-24 16:26 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240926j401003dft11f50d3be1466f90-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 16:30 ` Daniel Lezcano
[not found] ` <4A92C01E.5010809-GANU6spQydw@public.gmane.org>
2009-08-24 16:36 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908240936t1bee38e3h9388298f435f056c-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 19:22 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908241222w127f9f7em5175213281491a8d-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-24 23:03 ` Krzysztof Taraszka
2009-08-26 1:43 ` KAMEZAWA Hiroyuki
[not found] ` <20090826104312.97ff028f.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-26 12:11 ` Daniel Lezcano
[not found] ` <4A952689.9020704-GANU6spQydw@public.gmane.org>
2009-08-26 13:50 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908260650x3311d5d3q44631a30205089b7-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-26 23:25 ` Krzysztof Taraszka
[not found] ` <ac1c4bf20908261625g71dff96cu77190056540cbb7-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-08-28 9:32 ` Daniel Lezcano
[not found] ` <4A97A448.5050506-GANU6spQydw@public.gmane.org>
2009-08-30 23:56 ` KAMEZAWA Hiroyuki
[not found] ` <20090831085606.b7207a76.kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>
2009-08-31 9:24 ` Daniel Lezcano
[not found] ` <4A9B96B7.9060009-GANU6spQydw@public.gmane.org>
2009-08-31 10:02 ` Dietmar Maurer
2009-08-31 13:40 ` Serge E. Hallyn [this message]
[not found] ` <20090831134045.GD4837-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-31 14:41 ` Daniel Lezcano
[not found] ` <4A9BE134.5040804-GANU6spQydw@public.gmane.org>
2009-08-31 14:54 ` Serge E. Hallyn
[not found] ` <20090831145423.GA8107-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-08-31 15:18 ` Daniel Lezcano
[not found] ` <4A9BE9A9.1080907-GANU6spQydw@public.gmane.org>
2009-08-31 15:47 ` Daniel Lezcano
2009-08-31 16:31 ` Serge E. Hallyn
[not found] ` <20090831163114.GA13896-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-09-01 18:37 ` Daniel Lezcano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090831134045.GD4837@us.ibm.com \
--to=serue-r/jw6+rmf7hqt0dzr+alfa@public.gmane.org \
--cc=containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org \
--cc=daniel.lezcano-GANU6spQydw@public.gmane.org \
--cc=dietmar-YTcQvvOqK21BDgjK7y7TUQ@public.gmane.org \
--cc=kt-S89nZTSLPHGGdvJs77BJ7Q@public.gmane.org \
--cc=lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.