Re: [PATCH] IPC initialize shmmax and shmall from the current value not the default

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Marian Marinov <mm-108MBtLGafw@public.gmane.org>
To: Davidlohr Bueso <davidlohr-VXdhtT5mjnY@public.gmane.org>
Cc: manfred-nhLOkwUX5cPe2c5cEj3t2g@public.gmane.org,
	Greg KH
	<gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org>,
	Linux Containers
	<containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org>,
	"linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
	<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
	akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org,
	n-horiguchi-PaJj6Psr51x8UrSeD/g0lQ@public.gmane.org
Subject: Re: [PATCH] IPC initialize shmmax and shmall from the current value not the default
Date: Sun, 04 May 2014 12:29:08 +0300	[thread overview]
Message-ID: <53660864.2070908@1h.com> (raw)
In-Reply-To: <1399166450.2573.15.camel-5JQ4ckphU/8SZAcGdq5asR6epYMZPwEe5NbjCUgZEJk@public.gmane.org>

On 05/04/2014 04:20 AM, Davidlohr Bueso wrote:
> On Sun, 2014-05-04 at 03:28 +0300, Marian Marinov wrote:
>> On 05/04/2014 02:53 AM, Davidlohr Bueso wrote:
>>> On Sun, 2014-05-04 at 01:48 +0300, Marian Marinov wrote:
>>>> When we are creating new IPC namespace that should be cloned from the current namespace it is a good idea to copy the
>>>> values of the current shmmax and shmall to the new namespace.
>>>
>>> Why is this a good idea?
>>>
>>> This would break userspace that relies on the current behavior.
>>> Furthermore we've recently changed the default value of both these
>>> limits to be as large as you can get, thus deprecating them. I don't
>>> like the idea of this being replaced by namespaces.
>>>
>>> Thanks,
>>> Davidlohr
>>>
>>
>> The current behavior is create_ipc_ns()->shm_init_ns()
>>
>> void shm_init_ns(struct ipc_namespace *ns)
>> {
>>       ns->shm_ctlmax = SHMMAX;
>>       ns->shm_ctlall = SHMALL;
>>       ns->shm_ctlmni = SHMMNI;
>>       ns->shm_rmid_forced = 0;
>>       ns->shm_tot = 0;
>>       ipc_init_ids(&shm_ids(ns));
>> }
>>
>> This means that whenever you are creating an IPC namespace it gets its SHMMAX and SHMALL values from the defaults for
>> the kernel.
>
> This is exactly what I meant by 'current behavior'.
>
>> If for some reason you want to have smaller(or bigger, for older kernels) limit. This means changing the values in
>> /proc/sys/kernel/shmmax and /proc/sys/kernel/shmall. However the program that is started with the new IPC namespace may
>> lack privileges to write to these files and so it can not modify them.
>
> I see no reason why namespaces should behave any different than the rest
> of the system, wrt this. And this changes how *and* when these limits
> are set, which impacts at a userspace level with no justification.
>
>> What I'm proposing is simply to copy the current values of the host machine, as set by a privileged process before the
>> namespace creation.
>>
>> Maybe a better approach would be to allow the changes to be done by processes having CAP_SYS_RESOURCE inside the new
>> namespace?
>
> Why do you need this? Is there any real impact/issue you're seeing?
>
I'm using Linux Containers and I need to be able to either start containers with different SHMMAX or set different 
SHMMAX to already running containers without giving them full root access.

-Marian

WARNING: multiple messages have this Message-ID (diff)

From: Marian Marinov <mm@1h.com>
To: Davidlohr Bueso <davidlohr@hp.com>
Cc: akpm@linux-foundation.org, n-horiguchi@ah.jp.nec.com,
	Greg KH <gregkh@linuxfoundation.org>,
	manfred@colorfullife.com,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	Linux Containers <containers@lists.linux-foundation.org>
Subject: Re: [PATCH] IPC initialize shmmax and shmall from the current value not the default
Date: Sun, 04 May 2014 12:29:08 +0300	[thread overview]
Message-ID: <53660864.2070908@1h.com> (raw)
In-Reply-To: <1399166450.2573.15.camel@buesod1.americas.hpqcorp.net>

On 05/04/2014 04:20 AM, Davidlohr Bueso wrote:
> On Sun, 2014-05-04 at 03:28 +0300, Marian Marinov wrote:
>> On 05/04/2014 02:53 AM, Davidlohr Bueso wrote:
>>> On Sun, 2014-05-04 at 01:48 +0300, Marian Marinov wrote:
>>>> When we are creating new IPC namespace that should be cloned from the current namespace it is a good idea to copy the
>>>> values of the current shmmax and shmall to the new namespace.
>>>
>>> Why is this a good idea?
>>>
>>> This would break userspace that relies on the current behavior.
>>> Furthermore we've recently changed the default value of both these
>>> limits to be as large as you can get, thus deprecating them. I don't
>>> like the idea of this being replaced by namespaces.
>>>
>>> Thanks,
>>> Davidlohr
>>>
>>
>> The current behavior is create_ipc_ns()->shm_init_ns()
>>
>> void shm_init_ns(struct ipc_namespace *ns)
>> {
>>       ns->shm_ctlmax = SHMMAX;
>>       ns->shm_ctlall = SHMALL;
>>       ns->shm_ctlmni = SHMMNI;
>>       ns->shm_rmid_forced = 0;
>>       ns->shm_tot = 0;
>>       ipc_init_ids(&shm_ids(ns));
>> }
>>
>> This means that whenever you are creating an IPC namespace it gets its SHMMAX and SHMALL values from the defaults for
>> the kernel.
>
> This is exactly what I meant by 'current behavior'.
>
>> If for some reason you want to have smaller(or bigger, for older kernels) limit. This means changing the values in
>> /proc/sys/kernel/shmmax and /proc/sys/kernel/shmall. However the program that is started with the new IPC namespace may
>> lack privileges to write to these files and so it can not modify them.
>
> I see no reason why namespaces should behave any different than the rest
> of the system, wrt this. And this changes how *and* when these limits
> are set, which impacts at a userspace level with no justification.
>
>> What I'm proposing is simply to copy the current values of the host machine, as set by a privileged process before the
>> namespace creation.
>>
>> Maybe a better approach would be to allow the changes to be done by processes having CAP_SYS_RESOURCE inside the new
>> namespace?
>
> Why do you need this? Is there any real impact/issue you're seeing?
>
I'm using Linux Containers and I need to be able to either start containers with different SHMMAX or set different 
SHMMAX to already running containers without giving them full root access.

-Marian

next prev parent reply	other threads:[~2014-05-04  9:29 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-03 22:48 [PATCH] IPC initialize shmmax and shmall from the current value not the default Marian Marinov
2014-05-03 22:48 ` Marian Marinov
     [not found] ` <5365723D.7030303-108MBtLGafw@public.gmane.org>
2014-05-03 23:53   ` Davidlohr Bueso
2014-05-03 23:53     ` Davidlohr Bueso
     [not found]     ` <1399161216.2573.9.camel-5JQ4ckphU/8SZAcGdq5asR6epYMZPwEe5NbjCUgZEJk@public.gmane.org>
2014-05-04  0:28       ` Marian Marinov
2014-05-04  0:28         ` Marian Marinov
     [not found]         ` <536589B5.8060900-108MBtLGafw@public.gmane.org>
2014-05-04  1:20           ` Davidlohr Bueso
2014-05-04  1:20             ` Davidlohr Bueso
     [not found]             ` <1399166450.2573.15.camel-5JQ4ckphU/8SZAcGdq5asR6epYMZPwEe5NbjCUgZEJk@public.gmane.org>
2014-05-04  9:29               ` Marian Marinov [this message]
2014-05-04  9:29                 ` Marian Marinov
2014-05-04 11:17       ` Manfred Spraul
2014-05-04 11:17         ` Manfred Spraul
     [not found]         ` <536621D4.60002-nhLOkwUX5cPe2c5cEj3t2g@public.gmane.org>
2014-05-04 17:19           ` Davidlohr Bueso
2014-05-04 17:19             ` Davidlohr Bueso
2014-05-05 19:59         ` Marian Marinov
2014-05-22 13:01           ` Marian Marinov
     [not found]             ` <537DF520.2050904-108MBtLGafw@public.gmane.org>
2014-05-25 20:01               ` Manfred Spraul
2014-05-25 20:01                 ` Manfred Spraul
     [not found]                 ` <53824C0D.1070204-nhLOkwUX5cPe2c5cEj3t2g@public.gmane.org>
2014-05-26  0:07                   ` Marian Marinov
2014-05-26  0:07                     ` Marian Marinov
2014-05-27 14:41                   ` Serge Hallyn
2014-05-27 14:41                     ` Serge Hallyn
     [not found]           ` <5367EDB6.3010408-108MBtLGafw@public.gmane.org>
2014-05-22 13:01             ` Marian Marinov

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53660864.2070908@1h.com \
    --to=mm-108mbtlgafw@public.gmane.org \
    --cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
    --cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
    --cc=davidlohr-VXdhtT5mjnY@public.gmane.org \
    --cc=gregkh-hQyY1W1yCW8ekmWlsbkhG0B+6BGkLq7r@public.gmane.org \
    --cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=manfred-nhLOkwUX5cPe2c5cEj3t2g@public.gmane.org \
    --cc=n-horiguchi-PaJj6Psr51x8UrSeD/g0lQ@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.