From: Li Zefan <lizf@cn.fujitsu.com>
To: Grzegorz Nosek <root@localdomain.pl>
Cc: containers@lists.osdl.org, netdev@vger.kernel.org
Subject: Re: [RFC][PATCH] IP address restricting cgroup subsystem
Date: Wed, 07 Jan 2009 16:36:35 +0800 [thread overview]
Message-ID: <49646993.6080802@cn.fujitsu.com> (raw)
In-Reply-To: <20090107073831.GA23648@megiteam.pl>
Grzegorz Nosek wrote:
> On śro, sty 07, 2009 at 02:01:10 +0800, Li Zefan wrote:
>> CC: netdev@vger.kernel.org
>>
>> I'll review the cgroup part if this patch is regarded as useful.
>>
>> Grzegorz Nosek wrote:
>>> This is a very simple cgroup subsystem to restrict IP addresses used
>>> by member processes. Currently it is limited to IPv4 only but IPv6 (or
>>> other protocols) should be easy to implement.
>>>
>>> IP addresses are write-once (via /cgroup/.../ipaddr.ipv4 in dotted-quad
>> Why they should be write-once ?
>
> No real (technical) reason. Making it read-write would be fine with me.
> I wanted to make the restriction a one-way road but I guess I can police
> that in userspace (simply don't write anything to the file twice).
>
But seems the patch makes it impossible to re-allow a restricted task to
be binded to INADDR_ANY.
> However, I think that the restriction should be inherited, so that if
> CG1 is bound to e.g. 10.0.0.1, CG1/CG2 must be bound to the same
> address. But what would I do then with descendant cgroups? Leave them as
> is (breaking the inheritance)? Find them all and change their bound
> address behind their back (do we have an API for that?)?
>
Firstly, is inheritance necessary ?
If yes, then how about:
The root cgroup is read-only, so the tasks in it always bind to INADDR_ANY.
For other cgroups, write is allowed only if it has no children and the
parent is INADDR_ANY.
> I guess I have the same problem right now, anyway (only once instead of
> multiple times), so I'd really appreciate your input on this.
>
> Best regards,
> Grzegorz Nosek
>
>
next prev parent reply other threads:[~2009-01-07 8:36 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-01-06 23:05 [RFC][PATCH] IP address restricting cgroup subsystem Grzegorz Nosek
[not found] ` <20090106230554.GB25228-IaEwMO9oKu/77SC2UrCW1JJg/dWx8T/9@public.gmane.org>
2009-01-07 6:01 ` Li Zefan
[not found] ` <49644526.8030205-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2009-01-07 7:38 ` Grzegorz Nosek
2009-01-07 8:36 ` Li Zefan [this message]
2009-01-07 9:16 ` Grzegorz Nosek
2009-01-07 9:33 ` Li Zefan
2009-01-07 9:37 ` Grzegorz Nosek
2009-01-09 21:38 ` [Devel] " Paul Menage
2009-01-10 4:50 ` Li Zefan
2009-01-10 16:14 ` Paul Menage
2009-01-12 2:20 ` Li Zefan
2009-01-14 2:07 ` Paul Menage
2009-01-14 2:47 ` Li Zefan
2009-01-14 2:50 ` Paul Menage
2009-01-07 18:07 ` Serge E. Hallyn
[not found] ` <20090107180752.GA19153-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-01-07 19:15 ` Grzegorz Nosek
[not found] ` <20090107191536.GA15159-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-01-07 19:32 ` Serge E. Hallyn
[not found] ` <20090107193234.GA22625-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-01-08 12:43 ` Benny Amorsen
[not found] ` <20090109144122.GA9685@megiteam.pl>
[not found] ` <20090109162247.GA7925@us.ibm.com>
[not found] ` <20090109162247.GA7925-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-01-09 16:57 ` Grzegorz Nosek
2009-01-09 16:54 ` Dan Smith
[not found] ` <87priwifnu.fsf-FLMGYpZoEPULwtHQx/6qkW3U47Q5hpJU@public.gmane.org>
2009-01-09 17:43 ` Guenter Roeck
[not found] ` <20090109174334.GA4526-gvzKVTG1yJJBDgjK7y7TUQ@public.gmane.org>
2009-01-09 18:12 ` Dan Smith
[not found] ` <87ljtkic1j.fsf-FLMGYpZoEPULwtHQx/6qkW3U47Q5hpJU@public.gmane.org>
2009-01-09 22:37 ` Guenter Roeck
[not found] ` <20090109223756.GA22738-gvzKVTG1yJJBDgjK7y7TUQ@public.gmane.org>
2009-01-09 22:47 ` Serge E. Hallyn
[not found] ` <20090109224742.GA15227-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-01-09 23:37 ` Guenter Roeck
2009-01-09 18:30 ` Serge E. Hallyn
[not found] ` <20090109183046.GA14063-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-01-13 16:23 ` Dan Smith
2009-01-09 21:58 ` [Devel] " Paul Menage
[not found] ` <6599ad830901091358m11effdbegeff6cbb7ee28e262-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-01-10 11:20 ` Grzegorz Nosek
[not found] ` <20090110112009.GA12336-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-01-10 16:21 ` Paul Menage
[not found] ` <6599ad830901100821q2c943d38i314c00f7db51b4f0-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-01-11 0:25 ` Benny Amorsen
2009-01-11 10:19 ` Grzegorz Nosek
[not found] ` <20090111101946.GA14325-yp6mvK3Bdd2rDJvtcaxF/A@public.gmane.org>
2009-01-14 2:21 ` Paul Menage
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49646993.6080802@cn.fujitsu.com \
--to=lizf@cn.fujitsu.com \
--cc=containers@lists.osdl.org \
--cc=netdev@vger.kernel.org \
--cc=root@localdomain.pl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.