From: Andrew Vagin <avagin@odin.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Andrey Vagin <avagin@openvz.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
Andrew Morton <akpm@linux-foundation.org>,
Cyrill Gorcunov <gorcunov@openvz.org>,
Pavel Emelyanov <xemul@parallels.com>,
Roger Luethi <rl@hellgate.ch>, Arnd Bergmann <arnd@arndb.de>,
Arnaldo Carvalho de Melo <acme@kernel.org>,
David Ahern <dsahern@gmail.com>,
Pavel Odintsov <pavel.odintsov@gmail.com>
Subject: Re: [PATCH 0/24] kernel: add a netlink interface to get information about processes (v2)
Date: Tue, 7 Jul 2015 18:43:46 +0300 [thread overview]
Message-ID: <20150707154345.GA1593@odin.com> (raw)
In-Reply-To: <CALCETrVg5AyeXW_AGguFoGCPK9_2zeobEgT9JJFsakH6PyQf_A@mail.gmail.com>
On Mon, Jul 06, 2015 at 10:10:32AM -0700, Andy Lutomirski wrote:
> On Mon, Jul 6, 2015 at 1:47 AM, Andrey Vagin <avagin@openvz.org> wrote:
> > Currently we use the proc file system, where all information are
> > presented in text files, what is convenient for humans. But if we need
> > to get information about processes from code (e.g. in C), the procfs
> > doesn't look so cool.
> >
> > From code we would prefer to get information in binary format and to be
> > able to specify which information and for which tasks are required. Here
> > is a new interface with all these features, which is called task_diag.
> > In addition it's much faster than procfs.
> >
> > task_diag is based on netlink sockets and looks like socket-diag, which
> > is used to get information about sockets.
>
> I think I like this in principle, but I have can see a few potential
> problems with using netlink for this:
>
> 1. Netlink very naturally handles net namespaces, but it doesn't
> naturally handle any other kind of namespace. In fact, the taskstats
> code that you're building on has highly broken user and pid namespace
> support. (Look for some obviously useless init_user_ns and
> init_pid_ns references. But that's only the obvious problem. That
> code calls current_user_ns() and task_active_pid_ns(current) from
> .doit, which is, in turn, called from sys_write, and looking at
> current's security state from sys_write is a big no-no.)
>
> You could partially fix it by looking at f_cred's namespaces, but that
> would be a change of what it means to create a netlink socket, and I'm
> not sure that's a good idea.
If I don't miss something, all problems around pidns and userns are
related with multicast functionality. task_diag is using
request/response scheme and doesn't send multicast packets.
>
> 2. These look like generally useful interfaces, which means that
> people might want to use them in common non-system software, which
> means that some of that software might get run inside of sandboxes
> (Sandstorm, xdg-app, etc.) Sandboxes like that might block netlink
> outright, since it can't be usefully filtered by seccomp. (This isn't
> really the case now, since netlink route queries are too common, but
> still.)
>
> 3. Netlink is a bit tedious to use from userspace. Especially for
> things like task_diag, which are really just queries that generate
> single replies.
I don't understand this point. Could you elaborate? I thought the
netlink was designed for such purposes. (not only for them, but for them
too)
There are two features of netlink which are used.
The netlink interface allows to split response into a few packets, if
it's too big to be transferred for one iteration.
And I want to mention "Memory mapped netlink I/O" functionality, which
can be used to speed up task_diag.
>
> Would it make more sense to have a new syscall instead? You could
> even still use nlattr formatting for the syscall results.
Andy, thank you for the feedback. I got your points. I need time to
think about them. I suppose that a new syscall can be more suitable in
this case, and I need time to form a vision of it. If you have any ideas
or thoughts, I would be glad to know about them.
Thanks,
Andrew
>
> --Andy
next prev parent reply other threads:[~2015-07-07 15:43 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-06 8:47 [PATCH 0/24] kernel: add a netlink interface to get information about processes (v2) Andrey Vagin
[not found] ` <1436172445-6979-1-git-send-email-avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2015-07-06 8:47 ` [PATCH 01/24] kernel: define taststats commands in the one place Andrey Vagin
2015-07-06 8:47 ` [PATCH 02/24] kernel: add a netlink interface to get information about tasks (v2) Andrey Vagin
2015-07-06 8:47 ` [PATCH 03/24] kernel: make taskstats available from all net namespaces Andrey Vagin
2015-07-06 8:47 ` [PATCH 04/24] kernel: move next_tgid from fs/proc Andrey Vagin
2015-07-06 8:47 ` [PATCH 05/24] task_diag: add ability to get information about all tasks Andrey Vagin
2015-07-06 8:47 ` [PATCH 06/24] task_diag: add ability to split per-task data on a few netlink messages Andrey Vagin
2015-07-06 8:47 ` [PATCH 07/24] task_diag: add a new group to get process credentials Andrey Vagin
2015-07-06 8:47 ` [PATCH 08/24] proc: pick out a function to iterate task children Andrey Vagin
[not found] ` <1436172445-6979-9-git-send-email-avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2015-07-14 18:02 ` Oleg Nesterov
[not found] ` <20150714180235.GB8088-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-07-17 15:57 ` Andrew Vagin
[not found] ` <20150717155728.GB6685-wo1vFcy6AUs@public.gmane.org>
2015-07-18 21:22 ` Oleg Nesterov
2015-07-06 8:47 ` [PATCH 09/24] proc: move task_next_child() from fs/proc Andrey Vagin
2015-07-06 8:47 ` [PATCH 10/24] task_diag: add ability to dump children (v2) Andrey Vagin
2015-07-06 8:47 ` [PATCH 11/24] task_diag: add a new group to get task statistics Andrey Vagin
2015-07-06 8:47 ` [PATCH 17/24] task_diag: add ability to dump theads Andrey Vagin
2015-07-06 8:47 ` [PATCH 24/24] task_diag: Enhance fork tool to spawn threads Andrey Vagin
2015-11-24 15:18 ` [PATCH 0/24] kernel: add a netlink interface to get information about processes (v2) Andrew Vagin
[not found] ` <20151124151811.GA16393-wo1vFcy6AUs@public.gmane.org>
2015-12-03 23:20 ` Andy Lutomirski
2015-12-03 23:43 ` Arnd Bergmann
2015-12-14 8:05 ` Andrew Vagin
[not found] ` <CALCETrUzOBybH0-rcgvzMNazjadZpuxkBZLkoUDY30X_-cqBzg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-12-14 7:52 ` Andrew Vagin
2015-12-14 22:38 ` Andy Lutomirski
[not found] ` <CALCETrU_MtDa3p64R5bLx4BU5mKTDD0iEgtA4nLRHPfS2JbhOQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-12-15 15:53 ` Andrew Vagin
[not found] ` <20151215155358.GC24236-wo1vFcy6AUs@public.gmane.org>
2015-12-15 16:43 ` Andy Lutomirski
2015-07-06 8:47 ` [PATCH 12/24] task_diag: add a new group to get tasks memory mappings (v2) Andrey Vagin
[not found] ` <1436172445-6979-13-git-send-email-avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2015-07-14 18:08 ` Oleg Nesterov
[not found] ` <20150714180857.GC8088-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2015-07-15 2:02 ` David Ahern
2015-07-06 8:47 ` [PATCH 13/24] task_diag: shows memory consumption for " Andrey Vagin
2015-07-06 8:47 ` [PATCH 14/24] task_diag: add a marcos to enumirate memory mappings Andrey Vagin
2015-07-06 8:47 ` [PATCH 15/24] proc: give task_struct instead of pid into first_tid Andrey Vagin
2015-07-14 18:11 ` Oleg Nesterov
2015-07-06 8:47 ` [PATCH 16/24] proc: move first_tid and next_tid out of proc Andrey Vagin
2015-07-06 8:47 ` [PATCH 18/24] task_diag: add ability to handle one task in a continious mode Andrey Vagin
2015-07-06 8:47 ` [PATCH 19/24] task_diag: Add option to dump all threads for all tasks Andrey Vagin
2015-07-06 8:47 ` [PATCH 20/24] task_diag: Only add VMAs for thread_group leader Andrey Vagin
[not found] ` <1436172445-6979-21-git-send-email-avagin-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2015-07-14 17:47 ` Oleg Nesterov
2015-07-15 2:01 ` David Ahern
[not found] ` <55A5BF0F.7090808-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2015-07-15 13:31 ` Oleg Nesterov
2015-07-06 8:47 ` [PATCH 21/24] task diag: Add support for TGID attribute Andrey Vagin
2015-07-06 8:47 ` [PATCH 22/24] Documentation: add documentation for task_diag Andrey Vagin
2015-07-06 8:47 ` [PATCH 23/24] selftest: check the task_diag functinonality Andrey Vagin
2015-07-06 17:10 ` [PATCH 0/24] kernel: add a netlink interface to get information about processes (v2) Andy Lutomirski
2015-07-07 15:43 ` Andrew Vagin [this message]
[not found] ` <20150707154345.GA1593-wo1vFcy6AUs@public.gmane.org>
2015-07-07 15:56 ` Andy Lutomirski
2015-07-07 16:17 ` David Ahern
2015-07-07 16:24 ` Andy Lutomirski
[not found] ` <CALCETrWRT--XO6jYyno_i0nUZEoRuq3S5_n-qFRSt2rmkd3jMQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-07-07 16:41 ` David Ahern
2015-07-08 16:10 ` Andrew Vagin
2015-07-08 17:39 ` Andy Lutomirski
2015-07-08 22:49 ` Andrey Vagin
[not found] ` <CANaxB-yMKGWJ1r0GMR9VfAq_xHn6bTjYmkDXST4suNNqu4GVjA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-07-08 23:48 ` Andy Lutomirski
2015-07-07 16:25 ` Arnaldo Carvalho de Melo
[not found] ` <20150707162552.GM3326-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
2015-07-07 16:27 ` Andy Lutomirski
[not found] ` <CALCETrWEXRif4pFUzVJq1T=KWKvd=tbEDf-vpr5MJtVK1_RWYA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-07-07 16:56 ` David Ahern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150707154345.GA1593@odin.com \
--to=avagin@odin.com \
--cc=acme@kernel.org \
--cc=akpm@linux-foundation.org \
--cc=arnd@arndb.de \
--cc=avagin@openvz.org \
--cc=dsahern@gmail.com \
--cc=gorcunov@openvz.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=oleg@redhat.com \
--cc=pavel.odintsov@gmail.com \
--cc=rl@hellgate.ch \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).