From: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>
To: Aristeu Rozanski <aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: "Serge E. Hallyn" <serge-A9i7LUbDfNHQT0dZR+AlfA@public.gmane.org>,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Serge Hallyn
<serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH 3/5] device_cgroup: keep track of local group settings
Date: Thu, 6 Dec 2012 04:31:30 +0000 [thread overview]
Message-ID: <20121206043130.GA22792@mail.hallyn.com> (raw)
In-Reply-To: <20121203190657.GD32112-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Quoting Aristeu Rozanski (aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org):
> On Mon, Dec 03, 2012 at 06:01:25PM +0000, Serge E. Hallyn wrote:
> > First, generally, I don't think 'allows' added to parent should be
> > automatically propagated to descendents.
>
> that's what I think too and what I tried to do
>
> > In devcgroup_update_access: (around line 625)
> > there is a period of time where cgroup members have
> > default allow without the parent's exceptions.
>
> true, will fix that one and look for more cases
>
> > propagate_behavior (line 505):
> > 1. doesn't follow the same ordering as devcgroup_update_access(), in
> > particular cleaning exceptions before setting behavior.
>
> I see, will update that
>
> > 2. When changing a parent from deny to allow, I don't think children
> > should be updated.
>
> I disagree on this one. since there'll be local preferences, it'll try
> to revalidate them everytime there's a change. so, for example, an
> exception that might not be possible now, will be possible when its
> parent changes in a way that allows that.
My concern is just practical - if I've started a bunch of containers,
and another admin decides to make a change to the root devices cgroup,
I don't want the container's device accesses now changing.
Maybe that's better solved by having all of userspace sit in /system
while containers and vms sit under /lxc and /libvirt...
-serge
WARNING: multiple messages have this Message-ID (diff)
From: "Serge E. Hallyn" <serge@hallyn.com>
To: Aristeu Rozanski <aris@redhat.com>
Cc: "Serge E. Hallyn" <serge@hallyn.com>,
linux-kernel@vger.kernel.org, Tejun Heo <tj@kernel.org>,
Serge Hallyn <serge.hallyn@canonical.com>,
cgroups@vger.kernel.org
Subject: Re: [PATCH 3/5] device_cgroup: keep track of local group settings
Date: Thu, 6 Dec 2012 04:31:30 +0000 [thread overview]
Message-ID: <20121206043130.GA22792@mail.hallyn.com> (raw)
In-Reply-To: <20121203190657.GD32112@redhat.com>
Quoting Aristeu Rozanski (aris@redhat.com):
> On Mon, Dec 03, 2012 at 06:01:25PM +0000, Serge E. Hallyn wrote:
> > First, generally, I don't think 'allows' added to parent should be
> > automatically propagated to descendents.
>
> that's what I think too and what I tried to do
>
> > In devcgroup_update_access: (around line 625)
> > there is a period of time where cgroup members have
> > default allow without the parent's exceptions.
>
> true, will fix that one and look for more cases
>
> > propagate_behavior (line 505):
> > 1. doesn't follow the same ordering as devcgroup_update_access(), in
> > particular cleaning exceptions before setting behavior.
>
> I see, will update that
>
> > 2. When changing a parent from deny to allow, I don't think children
> > should be updated.
>
> I disagree on this one. since there'll be local preferences, it'll try
> to revalidate them everytime there's a change. so, for example, an
> exception that might not be possible now, will be possible when its
> parent changes in a way that allows that.
My concern is just practical - if I've started a bunch of containers,
and another admin decides to make a change to the root devices cgroup,
I don't want the container's device accesses now changing.
Maybe that's better solved by having all of userspace sit in /system
while containers and vms sit under /lxc and /libvirt...
-serge
next prev parent reply other threads:[~2012-12-06 4:31 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-27 19:35 [PATCH 0/5] devcg: introduce proper hierarchy support Aristeu Rozanski
2012-11-27 19:35 ` Aristeu Rozanski
2012-11-27 19:35 ` [PATCH 1/5] device_cgroup: fix locking in devcgroup_destroy() Aristeu Rozanski
2012-11-27 19:35 ` Aristeu Rozanski
[not found] ` <20121127193501.728193744-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-11-29 19:06 ` Serge E. Hallyn
2012-11-29 19:06 ` Serge E. Hallyn
2012-12-03 17:29 ` Tejun Heo
2012-11-27 19:35 ` [PATCH 2/5] device_cgroup: prepare exception list handling functions for two lists Aristeu Rozanski
2012-11-27 19:35 ` Aristeu Rozanski
[not found] ` <20121127193502.078661224-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-11-29 19:07 ` Serge E. Hallyn
2012-11-29 19:07 ` Serge E. Hallyn
2012-12-03 17:31 ` Tejun Heo
2012-12-03 17:31 ` Tejun Heo
2012-11-27 19:35 ` [PATCH 3/5] device_cgroup: keep track of local group settings Aristeu Rozanski
2012-11-29 19:29 ` Serge E. Hallyn
[not found] ` <20121129192945.GD26104-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-11-29 19:59 ` Aristeu Rozanski
2012-11-29 19:59 ` Aristeu Rozanski
[not found] ` <20121129195942.GW32112-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-11-29 20:26 ` Serge E. Hallyn
2012-11-29 20:26 ` Serge E. Hallyn
[not found] ` <20121129202608.GA26716-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-11-29 22:31 ` Aristeu Rozanski
2012-11-29 22:31 ` Aristeu Rozanski
[not found] ` <20121129223111.GZ32112-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-03 18:01 ` Serge E. Hallyn
2012-12-03 18:01 ` Serge E. Hallyn
[not found] ` <20121203180125.GA30637-7LNsyQBKDXoIagZqoN9o3w@public.gmane.org>
2012-12-03 19:06 ` Aristeu Rozanski
2012-12-03 19:06 ` Aristeu Rozanski
[not found] ` <20121203190657.GD32112-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-06 4:31 ` Serge E. Hallyn [this message]
2012-12-06 4:31 ` Serge E. Hallyn
2012-11-29 20:11 ` Aristeu Rozanski
2012-11-27 19:35 ` [PATCH 4/5] device_cgroup: make may_access() stronger Aristeu Rozanski
2012-11-27 19:35 ` Aristeu Rozanski
[not found] ` <20121127193502.817704289-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-12-03 17:44 ` Tejun Heo
2012-12-03 17:44 ` Tejun Heo
[not found] ` <20121203174414.GI19802-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2012-12-03 19:01 ` Aristeu Rozanski
2012-12-03 19:01 ` Aristeu Rozanski
2012-11-27 19:35 ` [PATCH 5/5] device_cgroup: propagate local changes down the hierarchy Aristeu Rozanski
[not found] ` <20121127193503.114004167-cd6kKtb6gxi3M6m420IelR/sF2h8X+2i0E9HWUfgJXw@public.gmane.org>
2012-12-03 18:01 ` Tejun Heo
2012-12-03 18:01 ` Tejun Heo
[not found] ` <20121203180145.GJ19802-Gd/HAXX7CRxy/B6EtB590w@public.gmane.org>
2012-12-03 19:14 ` Aristeu Rozanski
2012-12-03 19:14 ` Aristeu Rozanski
[not found] ` <20121203191411.GE32112-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2012-12-03 21:36 ` Tejun Heo
2012-12-03 21:36 ` Tejun Heo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121206043130.GA22792@mail.hallyn.com \
--to=serge-a9i7lubdfnhqt0dzr+alfa@public.gmane.org \
--cc=aris-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.