From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeff Liu Subject: Re: [RFC PATCH v1 0/4] cgroup quota Date: Mon, 12 Mar 2012 15:11:11 +0800 Message-ID: <4F5DA18F.6040000@oracle.com> References: <4F59E78A.7060903@oracle.com> <4F5C933F.3000409@parallels.com> <4F5C90DF.8070605@oracle.com> <4F5DC396.60701@parallels.com> Reply-To: jeff.liu-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: jack-AlSwsSmVLrQ@public.gmane.org, Lezcano , Christopher Jones , Li Zefan , xfs-VZNHf3L845pBDgjK7y7TUQ@public.gmane.org, Christoph Hellwig , tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org, Ben Myers , Daniel-VZNHf3L845pBDgjK7y7TUQ@public.gmane.org, lxc-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org, "linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org" , cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, Chris Mason , tytso-DPNOqEs/LNQ@public.gmane.org To: Glauber Costa Return-path: In-Reply-To: <4F5DC396.60701-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org> Sender: cgroups-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org List-Id: linux-fsdevel.vger.kernel.org On 03/12/2012 05:36 PM, Glauber Costa wrote: > On 03/11/2012 03:47 PM, Jeff Liu wrote: >> And also, if there has already a project quota limits enforced outsides >> to a directly, but the user can still setup a smaller quota limit s >> through cgroup ,those limits just mixed up, but the smaller quota only >> be effected for those processes running at container. >> >>> > >>> > What we really need here, is a way to have a privileged user inside a >>> > container to create normal quotas (user, group) that he can >>> configure, >>> > and have this quota be always smaller than, say, a project quota >>> defined >>> > for the container from the outside. But cgroups is hardly the >>> interface, >>> > or place, for that: Usually, the processes inside the container won't >>> > have access to their cgroups. They will contain the limits they are >>> > entitled to, and we don't won't the processes to change that at >>> will. So >>> > tying it to cgroups does not solve the fundamental problem, which >>> is how >>> > we have the container admin to set up quotas... >> Sigh, exactly, I need some time to understand your opinions. Thanks >> again. >> >> > > My take on this is that you should stick to the quota interface. It > seems to works well enough for people out there. This means, how quotas > are configured, viewed, etc, should work with standard tools. > > Now, we need some of those quotas to be tied to a particular mnt > namespace (I believe namespaces to be the right isolation abstraction > here, not cgroups), in the sense that they can only be active inside > that mnt namespace. And then when you bill an inode, block, or anything > else that quota limits, you bill it to any quota structure that is > possibly interested in it. I got started investigating how to isolate quota combine with namespaces today, thanks for your timely suggestions, that's sounds clearer to me. -Jeff > Right now the code bills it to one quota > structure, the one that matches your UID, GID, etc (XFS may be a bit > more skilled already here, I don't know)