From: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
To: mzxreary@0pointer.de
Cc: alan@lxorguk.ukuu.org.uk, dave@gnu.org, hch@infradead.org,
hughd@google.com, akpm@linux-foundation.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
kay.sievers@vrfy.org
Subject: Re: [RFC PATCH] tmpfs: support user quotas
Date: Mon, 07 Nov 2011 14:15:07 -0800 [thread overview]
Message-ID: <4EB8586B.5060804@jp.fujitsu.com> (raw)
In-Reply-To: <20111107143010.GA3630@tango.0pointer.de>
(11/7/2011 6:30 AM), Lennart Poettering wrote:
> On Mon, 07.11.11 13:58, Alan Cox (alan@lxorguk.ukuu.org.uk) wrote:
>
>>
>>> Right, rlimit approach guarantees a simple way of dealing with users
>>> across all tmpfs instances.
>>
>> Which is almost certainly not what you want to happen. Think about direct
>> rendering.
>
> I don't see what direct rendering has to do with closing the security
> hole that /dev/shm currently is.
>
>> For simple stuff tmpfs already supports size/nr_blocks/nr_inodes mount
>> options so you can mount private resource constrained tmpfs objects
>> already without kernel changes. No rlimit hacks needed - and rlimit is
>> the wrong API anyway.
>
> Uh? I am pretty sure we don't want to mount a private tmpfs for each
> user in /dev/shm and /tmp. If you have 500 users you'd have 500 tmpfs on
> /tmp and on /dev/shm. Despite that without some ugly namespace hackery
> you couldn't make them all appear in /tmp as /dev/shm without
> subdirectories. Don't forget that /dev/shm and /tmp are an established
> userspace API.
>
> Resource limits are exactly the API that makes sense here, because:
>
> a) we only want one tmpfs on /tmp, and one tmpfs on /dev/shm, not 500 on
> each for each user
Ok, seems fair.
> b) we cannot move /dev/shm, /tmp around without breaking userspace
> massively
agreed.
>
> c) we want a global limit across all tmpfs file systems for each user
Why? Is there any benefit this?
> d) we don't want to have to upload the quota database into each tmpfs at
> mount time.
>
> And hence: a per user RLIMIT is exactly the minimal solution we want
> here.
If you want per-user limitation, RLIMIT is bad idea. RLIMIT is only inherited
by fork. So, The api semantics clearly mismatch your usecase.
Instead, I suggest to implement new sysfs knob.
Thank you.
WARNING: multiple messages have this Message-ID (diff)
From: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
To: mzxreary@0pointer.de
Cc: alan@lxorguk.ukuu.org.uk, dave@gnu.org, hch@infradead.org,
hughd@google.com, akpm@linux-foundation.org,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
kay.sievers@vrfy.org
Subject: Re: [RFC PATCH] tmpfs: support user quotas
Date: Mon, 07 Nov 2011 14:15:07 -0800 [thread overview]
Message-ID: <4EB8586B.5060804@jp.fujitsu.com> (raw)
In-Reply-To: <20111107143010.GA3630@tango.0pointer.de>
(11/7/2011 6:30 AM), Lennart Poettering wrote:
> On Mon, 07.11.11 13:58, Alan Cox (alan@lxorguk.ukuu.org.uk) wrote:
>
>>
>>> Right, rlimit approach guarantees a simple way of dealing with users
>>> across all tmpfs instances.
>>
>> Which is almost certainly not what you want to happen. Think about direct
>> rendering.
>
> I don't see what direct rendering has to do with closing the security
> hole that /dev/shm currently is.
>
>> For simple stuff tmpfs already supports size/nr_blocks/nr_inodes mount
>> options so you can mount private resource constrained tmpfs objects
>> already without kernel changes. No rlimit hacks needed - and rlimit is
>> the wrong API anyway.
>
> Uh? I am pretty sure we don't want to mount a private tmpfs for each
> user in /dev/shm and /tmp. If you have 500 users you'd have 500 tmpfs on
> /tmp and on /dev/shm. Despite that without some ugly namespace hackery
> you couldn't make them all appear in /tmp as /dev/shm without
> subdirectories. Don't forget that /dev/shm and /tmp are an established
> userspace API.
>
> Resource limits are exactly the API that makes sense here, because:
>
> a) we only want one tmpfs on /tmp, and one tmpfs on /dev/shm, not 500 on
> each for each user
Ok, seems fair.
> b) we cannot move /dev/shm, /tmp around without breaking userspace
> massively
agreed.
>
> c) we want a global limit across all tmpfs file systems for each user
Why? Is there any benefit this?
> d) we don't want to have to upload the quota database into each tmpfs at
> mount time.
>
> And hence: a per user RLIMIT is exactly the minimal solution we want
> here.
If you want per-user limitation, RLIMIT is bad idea. RLIMIT is only inherited
by fork. So, The api semantics clearly mismatch your usecase.
Instead, I suggest to implement new sysfs knob.
Thank you.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2011-11-07 22:15 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-11-06 21:15 [RFC PATCH] tmpfs: support user quotas Davidlohr Bueso
2011-11-06 21:15 ` Davidlohr Bueso
2011-11-06 22:10 ` Lennart Poettering
2011-11-06 22:10 ` Lennart Poettering
2011-11-07 7:31 ` Christoph Hellwig
2011-11-07 7:31 ` Christoph Hellwig
2011-11-07 11:29 ` Lennart Poettering
2011-11-07 11:29 ` Lennart Poettering
2011-11-07 14:20 ` Davidlohr Bueso
2011-11-07 14:20 ` Davidlohr Bueso
2011-11-07 13:58 ` Alan Cox
2011-11-07 13:58 ` Alan Cox
2011-11-07 14:27 ` Kay Sievers
2011-11-07 14:27 ` Kay Sievers
2011-11-07 22:53 ` Alan Cox
2011-11-07 22:53 ` Alan Cox
2011-11-07 22:57 ` Glauber Costa
2011-11-07 22:57 ` Glauber Costa
2011-11-07 23:07 ` Lennart Poettering
2011-11-07 23:07 ` Lennart Poettering
2011-11-07 23:43 ` Alan Cox
2011-11-07 23:43 ` Alan Cox
2011-11-08 0:25 ` Lennart Poettering
2011-11-08 0:25 ` Lennart Poettering
2011-11-08 0:46 ` Alan Cox
2011-11-08 0:46 ` Alan Cox
2011-11-07 14:30 ` Lennart Poettering
2011-11-07 14:30 ` Lennart Poettering
2011-11-07 22:15 ` KOSAKI Motohiro [this message]
2011-11-07 22:15 ` KOSAKI Motohiro
2011-11-07 22:37 ` Kay Sievers
2011-11-07 22:37 ` Kay Sievers
2011-11-08 0:33 ` KOSAKI Motohiro
2011-11-08 0:33 ` KOSAKI Motohiro
2011-11-07 23:01 ` Alan Cox
2011-11-07 23:01 ` Alan Cox
2011-11-07 9:11 ` Valdis.Kletnieks
2011-11-07 14:49 ` Davidlohr Bueso
2011-11-07 14:49 ` Davidlohr Bueso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EB8586B.5060804@jp.fujitsu.com \
--to=kosaki.motohiro@jp.fujitsu.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=dave@gnu.org \
--cc=hch@infradead.org \
--cc=hughd@google.com \
--cc=kay.sievers@vrfy.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mzxreary@0pointer.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.