From: Aleksa Sarai <asarai-l3A5Bk7waGM@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: Li Zefan <lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org>,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
dev-IGmTWi+3HBZvNhPySn5qfx2eb7JE58TQ@public.gmane.org,
Aleksa Sarai <cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org>,
James Bottomley
<James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org>
Subject: Re: [PATCH v3 2/2] cgroup: allow management of subtrees by new cgroup namespaces
Date: Wed, 4 May 2016 19:58:26 +1000 [thread overview]
Message-ID: <5729C7C2.8000205@suse.de> (raw)
In-Reply-To: <20160503155511.GA7110-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
>> However, I agree with James that this patchset isn't ideal (it was my first
>> rough attempt). I think I'll get to work on properly virtualising
>> /sys/fs/cgroup, which will allow for a new cgroup namespace to modify
>> subtrees (but without allowing for cgroup escape) -- by pinning what pid
>> namespace the cgroup was created under. We can use the same type of
>> virtualization that /proc does (except instead of selectively showing the
>> dentries, we selectively show different owners of the dentries).
>>
>> Would that be acceptable?
>
> I'm still not sold on the idea. For better or worse, the permission
> model is mostly based on vfs and I don't want to deviate too much as
> that's likely to become confusing pretty quickly. If a sub-hierarchy
> is to be delegated, that's upto whomever is controlling cgroup
> hierarchy in the sub-domain. We can expand the perm checks to
> consider user namespaces but I'd like to avoid going beyond that.
As I mentioned in the other thread, I had another idea for a way to do
this (that was more complicated to implement, so I went with this
simpler patch first):
On unshare(), we create a new cgroup that is a child of the calling
process's current cgroup association (in all of the hierarchies,
obviously). The new cgroup directory (and contained files) are owned by
current_fs_{u,g}id(). The process is then moved into the cgroup, and the
root of the cgroup namespace is changed to be that cgroup. This way,
there would be no disparity between the VFS and cgroup permission model
-- there'll be a global view of the cgroup hierarchy that everyone
agrees on.
I had three concerns with this patch:
1. It would cause issues with the no internal process constraint of
cgroupv2. I spent some time trying to figure out how cgroupv2 would act
in this case (do all of the processes automatically get moved into new
subdirectories?), but couldn't figure it out. If it does move all of the
processes into the subdirectory, we'd have to make a sink cgroup as well
as the one for the namespace -- which then just becomes inefficient (you
have a cgroup that has no purpose from an administration perspective).
2. We'd have to come up with a way to make the name of the new cgroup
resistent to clashes (especially with cgroups already created by other
processes), which smacks of a suboptimal solution to the problem.
3. We'd be creating cgroups and attaching processes to the cgroups
without explicitly going through the VFS layer. This presumably means
that other parts of userspace might not get alerted properly to the
changes. I'm not really sure how we should deal with that, but it sounds
like it could cause problems for someone.
--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
next prev parent reply other threads:[~2016-05-04 9:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-02 14:01 [PATCH v3 0/2] cgroup: allow management of subtrees by new cgroup namespaces Aleksa Sarai
[not found] ` <1462197681-6879-1-git-send-email-asarai-l3A5Bk7waGM@public.gmane.org>
2016-05-02 14:01 ` [PATCH v3 1/2] cgroup: apply common ancestor cgroup.procs restriction in cgroupv1 Aleksa Sarai
[not found] ` <1462197681-6879-2-git-send-email-asarai-l3A5Bk7waGM@public.gmane.org>
2016-05-02 16:03 ` Tejun Heo
2016-05-03 1:44 ` Aleksa Sarai
2016-05-02 14:01 ` [PATCH v3 2/2] cgroup: allow management of subtrees by new cgroup namespaces Aleksa Sarai
2016-05-02 16:06 ` Tejun Heo
[not found] ` <20160502160604.GR7822-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-05-03 1:52 ` Aleksa Sarai
[not found] ` <57280456.1090106-l3A5Bk7waGM@public.gmane.org>
2016-05-03 15:55 ` Tejun Heo
[not found] ` <20160503155511.GA7110-qYNAdHglDFBN0TnZuCh8vA@public.gmane.org>
2016-05-04 9:58 ` Aleksa Sarai [this message]
2016-05-09 14:04 ` Aleksa Sarai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5729C7C2.8000205@suse.de \
--to=asarai-l3a5bk7wagm@public.gmane.org \
--cc=James.Bottomley-d9PhHud1JfjCXq6kfMZ53/egYHeGw8Jk@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=cyphar-gVpy/LI/lHzQT0dZR+AlfA@public.gmane.org \
--cc=dev-IGmTWi+3HBZvNhPySn5qfx2eb7JE58TQ@public.gmane.org \
--cc=hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).