From: Aleksa Sarai <asarai-l3A5Bk7waGM@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
dev-IGmTWi+3HBZvNhPySn5qfx2eb7JE58TQ@public.gmane.org,
Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org>,
James Bottomley
<James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
Subject: Re: [PATCH v3 2/2] cgroup: allow management of subtrees by new cgroup namespaces
Date: Tue, 3 May 2016 11:52:22 +1000 [thread overview]
Message-ID: <57280456.1090106@suse.de> (raw)
In-Reply-To: <20160502160604.GR7822-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
>> Change the mode of the cgroup directory for each cgroup association,
>> allowing the process to create subtrees and modify the limits of the
>> subtrees *without* allowing the process to modify its own limits. Due to
>> the cgroup core restrictions and unix permission model, this allows for
>> processes to create new subtrees without breaking the cgroup limits for
>> the process.
>
> I don't get why this is necessary. What's wrong with the parent
> setting up permission correctly for the namespace?
The parent setting this up requires either:
1. A privileged process giving the process write access to the cgroup
directory it is currently in. Since no software does this by default,
and in addition it might not always make sense (systemd doesn't like
processes messing around in their respective cgroups), this has to be
dealt with better.
2. The process itself is a privileged process, which is not the usecase
I'm going for with rootless containers. If you have root, you can do
whatever you want in this regard and this feature doesn't affect you.
The main reason for this patchset is because I would like to make sure
that unprivileged processes can take advantage of cgroup features (such
as the freezer cgroup, and to just do regular resource limiting). Since
cgroups are a hierarchy, I can see no fundamental reason why this is not
possible. And the cgroup namespace appears to be the perfect way of
doing it. I firmly believe there is a simple and safe way of allowing
unprivileged processes to create subtrees of their current cgroup.
However, I agree with James that this patchset isn't ideal (it was my
first rough attempt). I think I'll get to work on properly virtualising
/sys/fs/cgroup, which will allow for a new cgroup namespace to modify
subtrees (but without allowing for cgroup escape) -- by pinning what pid
namespace the cgroup was created under. We can use the same type of
virtualization that /proc does (except instead of selectively showing
the dentries, we selectively show different owners of the dentries).
Would that be acceptable?
--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
next prev parent reply other threads:[~2016-05-03 1:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-02 14:01 [PATCH v3 0/2] cgroup: allow management of subtrees by new cgroup namespaces Aleksa Sarai
[not found] ` <1462197681-6879-1-git-send-email-asarai-l3A5Bk7waGM@public.gmane.org>
2016-05-02 14:01 ` [PATCH v3 1/2] cgroup: apply common ancestor cgroup.procs restriction in cgroupv1 Aleksa Sarai
[not found] ` <1462197681-6879-2-git-send-email-asarai-l3A5Bk7waGM@public.gmane.org>
2016-05-02 16:03 ` Tejun Heo
2016-05-03 1:44 ` Aleksa Sarai
2016-05-02 14:01 ` [PATCH v3 2/2] cgroup: allow management of subtrees by new cgroup namespaces Aleksa Sarai
2016-05-02 16:06 ` Tejun Heo
[not found] ` <20160502160604.GR7822-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-05-03 1:52 ` Aleksa Sarai [this message]
[not found] ` <57280456.1090106-l3A5Bk7waGM@public.gmane.org>
2016-05-03 15:55 ` Tejun Heo
[not found] ` <20160503155511.GA7110-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-05-04 9:58 ` Aleksa Sarai
2016-05-09 14:04 ` Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57280456.1090106@suse.de \
--to=asarai-l3a5bk7wagm@public.gmane.org \
--cc=James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org \
--cc=dev-IGmTWi+3HBZvNhPySn5qfx2eb7JE58TQ@public.gmane.org \
--cc=hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).