From: "Serge E. Hallyn" <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
To: Andrew Morton <akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Cc: "Serge E. Hallyn"
<serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
"Eric W. Biederman"
<ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>,
Paul Menage <menage-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH 0/3][V2] remove the ns_cgroup
Date: Mon, 27 Sep 2010 15:36:58 -0500 [thread overview]
Message-ID: <20100927203658.GA5320@hallyn.com> (raw)
In-Reply-To: <20100927125741.0df22f09.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Quoting Andrew Morton (akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org):
> On Mon, 27 Sep 2010 12:14:10 +0200
> Daniel Lezcano <daniel.lezcano-GANU6spQydw@public.gmane.org> wrote:
>
> > The ns_cgroup is a control group interacting with the namespaces.
> > When a new namespace is created, a corresponding cgroup is
> > automatically created too. The cgroup name is the pid of the process
> > who did 'unshare' or the child of 'clone'.
> >
> > This cgroup is tied with the namespace because it prevents a
> > process to escape the control group and use the post_clone callback,
> > so the child cgroup inherits the values of the parent cgroup.
> >
> > Unfortunately, the more we use this cgroup and the more we are facing
> > problems with it:
> >
> > (1) when a process unshares, the cgroup name may conflict with a previous
> > cgroup with the same pid, so unshare or clone return -EEXIST
> >
> > (2) the cgroup creation is out of control because there may have an
> > application creating several namespaces where the system will automatically
> > create several cgroups in his back and let them on the cgroupfs (eg. a vrf
> > based on the network namespace).
> >
> > (3) the mix of (1) and (2) force an administrator to regularly check and
> > clean these cgroups.
> >
> > This patchset removes the ns_cgroup by adding a new flag to the cgroup
> > and the cgroupfs mount option. It enables the copy of the parent cgroup
> > when a child cgroup is created. We can then safely remove the ns_cgroup as
> > this flag brings a compatibility. We have now to manually create and add the
> > task to a cgroup, which is consistent with the cgroup framework.
>
> So this is a non-backward-compatible userspace-visible change?
Yes, it is.
Patch 1 is needed to let lxc and libvirt both control containers with
same cgroup setup. Patch 3 however isn't *necessary* for that. Daniel,
what do you think about holding off on patch 3?
> What are the implications of this?
The ns cgroup does 2 things which no other cgroup does: (1) it
moves tasks into a child cgroup any time they unshare or clone
a namespace. And (2) it prevents them from moving up to a parent
cgroup. The latter in particular makes it the only way, without
using an LSM, of locking root into a cgroup, until user namespaces
are further developed (*).
-serge
(*) - Maybe something to add to that new kernel todo list
next prev parent reply other threads:[~2010-09-27 20:36 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-27 10:14 [PATCH 0/3][V2] remove the ns_cgroup Daniel Lezcano
[not found] ` <1285582453-6127-1-git-send-email-daniel.lezcano-GANU6spQydw@public.gmane.org>
2010-09-27 10:14 ` [PATCH 1/3][V2] cgroup : add clone_children control file Daniel Lezcano
[not found] ` <1285582453-6127-2-git-send-email-daniel.lezcano-GANU6spQydw@public.gmane.org>
2010-09-27 13:34 ` Serge E. Hallyn
2010-09-27 14:11 ` Balbir Singh
2010-09-29 23:12 ` Paul Menage
2010-09-27 10:14 ` [PATCH 2/3][V2] cgroup : make the mount options parsing more accurate Daniel Lezcano
2010-09-27 10:14 ` [PATCH 3/3][V2] cgroup : remove the ns_cgroup Daniel Lezcano
2010-09-27 19:57 ` [PATCH 0/3][V2] " Andrew Morton
[not found] ` <20100927125741.0df22f09.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2010-09-27 20:36 ` Serge E. Hallyn [this message]
[not found] ` <20100927203658.GA5320-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
2010-09-27 20:45 ` Eric W. Biederman
[not found] ` <m1zkv2ncex.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2010-09-27 20:50 ` Andrew Morton
[not found] ` <20100927135025.74e297c3.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2010-09-27 21:13 ` Eric W. Biederman
2010-09-27 20:46 ` Andrew Morton
[not found] ` <20100927134619.ecefe9f4.akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
2010-09-27 20:53 ` Serge E. Hallyn
2010-09-28 13:50 ` Daniel Lezcano
[not found] ` <4CA1F299.3000603-GANU6spQydw@public.gmane.org>
2010-09-28 21:27 ` Andrew Morton
2010-09-27 20:43 ` Daniel Lezcano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100927203658.GA5320@hallyn.com \
--to=serge.hallyn-z7wlfzj8ewms+fvcfc7uqw@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=menage-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.