From: Srivatsa Vaddagiri <vatsa@in.ibm.com>
To: Paul Jackson <pj@sgi.com>
Cc: Herbert Poetzl <herbert@13thfloor.at>,
ebiederm@xmission.com, menage@google.com,
ckrm-tech@lists.sourceforge.net, linux-kernel@vger.kernel.org,
xemul@sw.ru, winget@google.com, containers@lists.osdl.org,
akpm@linux-foundation.org
Subject: Re: [ckrm-tech] [PATCH 0/2] resource control file system - aka containers on top of nsproxy!
Date: Mon, 12 Mar 2007 19:31:48 +0530 [thread overview]
Message-ID: <20070312140148.GA10450@in.ibm.com> (raw)
In-Reply-To: <20070309140603.b2b162c6.pj@sgi.com>
On Fri, Mar 09, 2007 at 02:06:03PM -0800, Paul Jackson wrote:
> > if you create a 'resource container' to limit the
> > usage of a set of resources for the processes
> > belonging to this container, it would be kind of
> > defeating the purpose, if you'd allow the processes
> > to manipulate their limits, no?
>
> Wrong - this is not the only way.
>
> For instance in cpusets, -any- task in the system, regardless of what
> cpuset it is currently assigned to, might be able to manipulate -any-
> cpuset in the system.
>
> Yes -- some sufficient mechanism is required to keep tasks from
> escalating their resources or capabilities beyond an allowed point.
>
> But that mechanism might not be strictly based on position in some
> hierarchy.
>
> In the case of cpusets, it is based on the permissions on files in
> the cpuset file system (normally mounted at /dev/cpuset), versus
> the current priviledges and capabilities of the task.
>
> A root priviledged task in the smallest leaf node cpuset can manipulate
> every cpuset in the system. This is an ordinary and common occurrence.
This assumes that you can see the global vfs namespace right?
What if you are inside a container/vserver which restricts your vfs
namespace? i.e /dev/cpusets seen from one container is not same as what
is seen from another container ..Is that a unrealistic scenario? IMHO
not so. This in-fact lets vservers and containers to work with each
other. So:
/dev/cpuset
|- C1 <- Container A bound to this
| |- C11
| |- C12
|
|- C2 <- Container B bound to this
|- C21
|- C22
C1 and C2 are two exclusive cpusets and containers/vservers A and B are bound
to C1/C2 respectively.
>From inside container/vserver A, if you were to look at /dev/cpuset, it will
-appear- as if you are in the top cpuset (with just C11 and C12 child
cpusets). It cannot modify C2 at all (since it has no visibility).
Similarly if you were to look at /dev/cpuset from inside B, it will list only
C21/C22 with tasks in container B not being able to see C1 at all.
:)
--
Regards,
vatsa
next prev parent reply other threads:[~2007-03-12 13:54 UTC|newest]
Thread overview: 125+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-01 13:35 [PATCH 0/2] resource control file system - aka containers on top of nsproxy! Srivatsa Vaddagiri
2007-03-01 13:45 ` [PATCH 1/2] rcfs core patch Srivatsa Vaddagiri
2007-03-01 16:31 ` Serge E. Hallyn
2007-03-01 16:46 ` Srivatsa Vaddagiri
2007-03-02 5:06 ` [ckrm-tech] " Balbir Singh
2007-03-03 9:38 ` Srivatsa Vaddagiri
2007-03-08 3:12 ` Eric W. Biederman
2007-03-08 9:10 ` Paul Menage
2007-03-09 0:38 ` Herbert Poetzl
2007-03-09 9:07 ` Kirill Korotaev
2007-03-09 13:29 ` Herbert Poetzl
2007-03-09 17:57 ` Srivatsa Vaddagiri
2007-03-10 1:19 ` Herbert Poetzl
2007-03-11 16:36 ` Serge E. Hallyn
2007-03-12 23:16 ` Herbert Poetzl
2007-03-08 10:13 ` Srivatsa Vaddagiri
2007-03-09 0:48 ` Herbert Poetzl
2007-03-09 2:35 ` Paul Jackson
2007-03-09 9:23 ` Kirill Korotaev
2007-03-09 9:38 ` Paul Jackson
2007-03-09 13:21 ` Herbert Poetzl
2007-03-11 17:09 ` Kirill Korotaev
2007-03-12 23:00 ` Herbert Poetzl
2007-03-13 8:28 ` Kirill Korotaev
2007-03-13 13:55 ` Herbert Poetzl
2007-03-13 14:11 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-13 15:52 ` Herbert Poetzl
2007-03-09 18:14 ` Srivatsa Vaddagiri
2007-03-09 19:25 ` Paul Jackson
2007-03-10 1:00 ` Herbert Poetzl
2007-03-10 1:31 ` Paul Jackson
2007-03-10 0:56 ` Herbert Poetzl
2007-03-09 16:16 ` Serge E. Hallyn
2007-03-01 13:50 ` [PATCH 2/2] cpu_accounting controller Srivatsa Vaddagiri
2007-03-01 19:39 ` [PATCH 0/2] resource control file system - aka containers on top of nsproxy! Paul Jackson
2007-03-02 15:45 ` Kirill Korotaev
2007-03-02 16:52 ` Andrew Morton
2007-03-02 17:25 ` Kirill Korotaev
2007-03-03 17:45 ` Herbert Poetzl
2007-03-03 21:22 ` Paul Jackson
2007-03-05 17:47 ` Srivatsa Vaddagiri
2007-03-03 9:36 ` Srivatsa Vaddagiri
2007-03-03 10:21 ` Paul Jackson
2007-03-05 17:02 ` Srivatsa Vaddagiri
2007-03-03 17:32 ` Herbert Poetzl
2007-03-05 17:34 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-05 18:39 ` Herbert Poetzl
2007-03-06 10:39 ` Srivatsa Vaddagiri
2007-03-06 13:28 ` Herbert Poetzl
2007-03-06 16:21 ` Srivatsa Vaddagiri
2007-03-07 2:32 ` Paul Menage
2007-03-07 17:30 ` Srivatsa Vaddagiri
2007-03-07 17:29 ` Paul Menage
2007-03-07 17:52 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-07 17:32 ` Srivatsa Vaddagiri
2007-03-07 17:43 ` Serge E. Hallyn
2007-03-07 17:46 ` Paul Menage
2007-03-07 23:16 ` Eric W. Biederman
2007-03-08 11:39 ` Srivatsa Vaddagiri
2007-03-07 18:00 ` Srivatsa Vaddagiri
2007-03-07 20:58 ` Serge E. Hallyn
2007-03-07 21:20 ` Paul Menage
2007-03-07 21:59 ` Serge E. Hallyn
2007-03-07 22:13 ` Dave Hansen
2007-03-07 23:13 ` Eric W. Biederman
2007-03-12 14:11 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-07 22:32 ` Eric W. Biederman
2007-03-07 23:18 ` Paul Menage
2007-03-08 0:35 ` Sam Vilain
2007-03-08 0:42 ` Paul Menage
2007-03-08 0:53 ` Sam Vilain
2007-03-08 0:58 ` [ckrm-tech] " Paul Menage
2007-03-08 1:32 ` Eric W. Biederman
2007-03-08 1:35 ` Paul Menage
2007-03-08 2:25 ` Eric W. Biederman
2007-03-09 0:56 ` Herbert Poetzl
2007-03-09 0:53 ` Herbert Poetzl
2007-03-09 18:19 ` Srivatsa Vaddagiri
2007-03-09 19:36 ` Paul Jackson
2007-03-09 21:52 ` Herbert Poetzl
2007-03-09 22:06 ` Paul Jackson
2007-03-12 14:01 ` Srivatsa Vaddagiri [this message]
2007-03-12 15:15 ` Srivatsa Vaddagiri
2007-03-12 20:26 ` Paul Jackson
2007-03-09 4:30 ` Paul Jackson
2007-03-08 2:47 ` Sam Vilain
2007-03-08 2:57 ` Paul Menage
2007-03-08 3:32 ` Sam Vilain
2007-03-08 6:10 ` Matt Helsley
2007-03-08 6:44 ` Eric W. Biederman
2007-03-09 1:06 ` Herbert Poetzl
2007-03-10 9:06 ` Sam Vilain
2007-03-11 21:15 ` Paul Jackson
2007-03-12 9:35 ` Sam Vilain
2007-03-12 10:00 ` Paul Menage
2007-03-12 23:21 ` Herbert Poetzl
2007-03-13 2:25 ` Paul Menage
2007-03-13 15:57 ` Herbert Poetzl
2007-03-09 4:37 ` Paul Jackson
2007-03-08 6:32 ` Eric W. Biederman
2007-03-08 9:10 ` Paul Menage
2007-03-09 16:50 ` Serge E. Hallyn
2007-03-22 14:08 ` Srivatsa Vaddagiri
2007-03-22 14:39 ` Serge E. Hallyn
2007-03-22 14:56 ` Srivatsa Vaddagiri
2007-03-09 4:27 ` Paul Jackson
2007-03-10 8:52 ` Sam Vilain
2007-03-10 9:11 ` Paul Jackson
2007-03-09 16:34 ` Srivatsa Vaddagiri
2007-03-09 16:41 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-09 22:09 ` Paul Menage
2007-03-10 2:02 ` Srivatsa Vaddagiri
2007-03-10 3:19 ` [ckrm-tech] " Srivatsa Vaddagiri
2007-03-12 15:07 ` Srivatsa Vaddagiri
2007-03-12 15:56 ` Serge E. Hallyn
2007-03-12 16:20 ` Srivatsa Vaddagiri
2007-03-12 17:25 ` Serge E. Hallyn
2007-03-12 21:15 ` Sam Vilain
2007-03-12 23:31 ` Herbert Poetzl
2007-03-13 2:22 ` Srivatsa Vaddagiri
2007-03-08 0:50 ` Sam Vilain
2007-03-08 11:30 ` Srivatsa Vaddagiri
2007-03-09 1:16 ` Herbert Poetzl
2007-03-09 18:41 ` Srivatsa Vaddagiri
2007-03-10 2:03 ` Herbert Poetzl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070312140148.GA10450@in.ibm.com \
--to=vatsa@in.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=ckrm-tech@lists.sourceforge.net \
--cc=containers@lists.osdl.org \
--cc=ebiederm@xmission.com \
--cc=herbert@13thfloor.at \
--cc=linux-kernel@vger.kernel.org \
--cc=menage@google.com \
--cc=pj@sgi.com \
--cc=winget@google.com \
--cc=xemul@sw.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox