All of lore.kernel.org
 help / color / mirror / Atom feed
From: Lennart Poettering <mzerqung@0pointer.de>
To: Jason Baron <jbaron@redhat.com>
Cc: fedora-devel-list@redhat.com,
	cg-manager-developers@lists.fedorahosted.org, dwalsh@redhat.com,
	duffy@redhat.com, containers@lists.osdl.org
Subject: Re: new cg-manager gui tool for managin cgroups
Date: Thu, 21 Jul 2011 18:11:25 +0200	[thread overview]
Message-ID: <20110721161124.GC19140@tango.0pointer.de> (raw)
In-Reply-To: <20110721142053.GA2454@redhat.com>

On Thu, 21.07.11 10:20, Jason Baron (jbaron@redhat.com) wrote:

> > Quite frankly, I think cgrulesd is a really bad idea, since it applies
> > control group limits after a process is already running. This is
> > necessarily racy (and adds quite a burden too, since you ask for
> > notifications on each exec()). I'd claim that cgrulesd is broken by
> > design and cannot be fixed.
> 
> I'm not going to claim that cgrulesd is perfect, but in the case where
> you have untrusted users, you can start their login session in a
> cgroup, and they can't break out of it. I agree it can be racy in the
> case where you want to then further limit that user at run-time (fork
> vs. re-assignment race). Another point, is that the current situation
> can be no worse then the current unconstrained (no cgroup) case,
> especially when you take into account the fact that system services or
> 'trusted services' are going to be properly assigned. Perhaps, the
> authors of cgrulesd can further comment on this issue... 

placing users in cgroups is note done by cgrulesd afaik. The PAM module
does that. (and systemd can do that for you, too).

> > systemd is and will always have to maintain its own hierarchy
> > independently of everybody else.
> 
> My suggestion here was that systemd starts its own hierarchy in some
> default way, and then once configuration info is available it can move
> processes around as required (in most cases there would probably be no
> movement since we don't expect most users to override the defaults). 
> Doesn't it have to do this now, if the user requests some sort of
> customized cgroup configuration?

I'd expect people to just tell systemd about their preferred grouping
(if the default of sticking each service into a group of its own is not
good enough) using the ControlGroup= setting in unit files. This is
trivial to do, and will put things right from the beginning with no
complex moving around.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.
-- 
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel

  parent reply	other threads:[~2011-07-21 16:11 UTC|newest]

Thread overview: 33+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-07-20 19:20 new cg-manager gui tool for managin cgroups Jason Baron
2011-07-20 20:28 ` Lennart Poettering
2011-07-20 20:42   ` Vivek Goyal
2011-07-20 21:07     ` Lennart Poettering
2011-07-20 21:26       ` Vivek Goyal
2011-07-20 21:41         ` Lennart Poettering
2011-07-20 20:59   ` Vivek Goyal
2011-07-20 21:11     ` Lennart Poettering
2011-07-21 14:20   ` Jason Baron
2011-07-21 15:08     ` Vivek Goyal
2011-07-21 16:11     ` Lennart Poettering [this message]
2011-07-21 23:08       ` Karel Zak
2011-07-22  0:32         ` Lennart Poettering
2011-07-22 10:13           ` Karel Zak
     [not found]     ` <20110721142053.GA2454-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-07-21 17:23       ` Tomas Mraz
     [not found]         ` <1311268987.6273.18.camel-ToA8MW0H8sPg+ylLNZCgDw@public.gmane.org>
2011-07-21 17:55           ` Lennart Poettering
2011-07-22  1:38         ` Ben Boeckel
2011-07-20 23:01 ` Matthias Clasen
2011-07-21 10:03   ` Daniel P. Berrange
2011-07-21 14:36   ` Jason Baron
     [not found]     ` <20110721143622.GB2454-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-07-21 14:52       ` Daniel P. Berrange
2011-07-21 15:28         ` Vivek Goyal
2011-07-21 15:36           ` Daniel P. Berrange
     [not found]             ` <20110721153620.GO17632-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-07-21 15:53               ` Lennart Poettering
2011-07-21 20:15                 ` Jason Baron
2011-07-21 20:32                   ` Vivek Goyal
2011-07-22 10:01                     ` Daniel P. Berrange
     [not found]           ` <20110721152845.GD12373-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-07-21 16:36             ` Lennart Poettering
2011-08-02 14:04               ` Vivek Goyal
2011-07-21 16:17         ` Lennart Poettering
2011-07-21 20:58           ` Vivek Goyal
2011-07-22 10:07             ` Daniel P. Berrange
     [not found] ` <20110720192029.GD2482-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2011-07-21 15:30   ` Daniel P. Berrange

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110721161124.GC19140@tango.0pointer.de \
    --to=mzerqung@0pointer.de \
    --cc=cg-manager-developers@lists.fedorahosted.org \
    --cc=containers@lists.osdl.org \
    --cc=devel@lists.fedoraproject.org \
    --cc=duffy@redhat.com \
    --cc=dwalsh@redhat.com \
    --cc=fedora-devel-list@redhat.com \
    --cc=jbaron@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.