* [PATCH 1/1] user namespaces: document CFS behavior
@ 2008-12-08 21:52 Serge E. Hallyn
2008-12-08 22:27 ` James Morris
0 siblings, 1 reply; 9+ messages in thread
From: Serge E. Hallyn @ 2008-12-08 21:52 UTC (permalink / raw)
To: James Morris; +Cc: lkml, Eric W. Biederman, Michael Kerrisk, Dhaval Giani
Documented the currently bogus state of support for CFS user groups with
user namespaces. In particular, all users in a user namespace should be
children of the user which created the user namespace. This is yet to
be implemented.
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Acked-by: Dhaval Giani <dhaval@linux.vnet.ibm.com>
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
---
Documentation/scheduler/sched-design-CFS.txt | 21 +++++++++++++++++++++
kernel/user.c | 8 +++++++-
2 files changed, 28 insertions(+), 1 deletions(-)
diff --git a/Documentation/scheduler/sched-design-CFS.txt b/Documentation/scheduler/sched-design-CFS.txt
index eb471c7..8398ca4 100644
--- a/Documentation/scheduler/sched-design-CFS.txt
+++ b/Documentation/scheduler/sched-design-CFS.txt
@@ -273,3 +273,24 @@ task groups and modify their CPU share using the "cgroups" pseudo filesystem.
# #Launch gmplayer (or your favourite movie player)
# echo <movie_player_pid> > multimedia/tasks
+
+8. Implementation note: user namespaces
+
+User namespaces are intended to be hierarchical. But they are currently
+only partially implemented. Each of those has ramifications for CFS.
+
+First, since user namespaces are hierarchical, the /sys/kernel/uids
+presentation is inadequate. Eventually we will likely want to use sysfs
+tagging to provide private views of /sys/kernel/uids within each user
+namespace.
+
+Second, the hierarchical nature is intended to support completely
+unprivileged use of user namespaces. So if using user groups, then
+we want the users in a user namespace to be children of the user
+who created it.
+
+That is currently unimplemented. So instead, every user in a new
+user namespace will receive 1024 shares just like any user in the
+initial user namespace. Note that at the moment creation of a new
+user namespace requires each of CAP_SYS_ADMIN, CAP_SETUID, and
+CAP_SETGID.
diff --git a/kernel/user.c b/kernel/user.c
index 6c924bc..6608a3d 100644
--- a/kernel/user.c
+++ b/kernel/user.c
@@ -239,7 +239,13 @@ static struct kobj_type uids_ktype = {
.release = uids_release,
};
-/* create /sys/kernel/uids/<uid>/cpu_share file for this user */
+/*
+ * Create /sys/kernel/uids/<uid>/cpu_share file for this user
+ * We do not create this file for users in a user namespace (until
+ * sysfs tagging is implemented).
+ *
+ * See Documentation/scheduler/sched-design-CFS.txt for ramifications.
+ */
static int uids_user_create(struct user_struct *up)
{
struct kobject *kobj = &up->kobj;
--
1.5.4.3
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] user namespaces: document CFS behavior
2008-12-08 21:52 [PATCH 1/1] user namespaces: document CFS behavior Serge E. Hallyn
@ 2008-12-08 22:27 ` James Morris
2008-12-08 22:44 ` Serge E. Hallyn
2008-12-09 2:45 ` Ingo Molnar
0 siblings, 2 replies; 9+ messages in thread
From: James Morris @ 2008-12-08 22:27 UTC (permalink / raw)
To: Serge E. Hallyn; +Cc: lkml, Eric W. Biederman, Michael Kerrisk, Dhaval Giani
On Mon, 8 Dec 2008, Serge E. Hallyn wrote:
> Documented the currently bogus state of support for CFS user groups with
> user namespaces. In particular, all users in a user namespace should be
> children of the user which created the user namespace. This is yet to
> be implemented.
>
> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> Acked-by: Dhaval Giani <dhaval@linux.vnet.ibm.com>
>
> Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Applied.
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] user namespaces: document CFS behavior
2008-12-08 22:27 ` James Morris
@ 2008-12-08 22:44 ` Serge E. Hallyn
2008-12-09 2:45 ` Ingo Molnar
1 sibling, 0 replies; 9+ messages in thread
From: Serge E. Hallyn @ 2008-12-08 22:44 UTC (permalink / raw)
To: James Morris; +Cc: lkml, Eric W. Biederman, Michael Kerrisk, Dhaval Giani
Quoting James Morris (jmorris@namei.org):
> On Mon, 8 Dec 2008, Serge E. Hallyn wrote:
>
> > Documented the currently bogus state of support for CFS user groups with
> > user namespaces. In particular, all users in a user namespace should be
> > children of the user which created the user namespace. This is yet to
> > be implemented.
> >
> > Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> > Acked-by: Dhaval Giani <dhaval@linux.vnet.ibm.com>
> >
> > Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
>
> Applied.
Thanks, James.
-serge
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] user namespaces: document CFS behavior
2008-12-08 22:27 ` James Morris
2008-12-08 22:44 ` Serge E. Hallyn
@ 2008-12-09 2:45 ` Ingo Molnar
2008-12-09 9:05 ` James Morris
1 sibling, 1 reply; 9+ messages in thread
From: Ingo Molnar @ 2008-12-09 2:45 UTC (permalink / raw)
To: James Morris, Peter Zijlstra
Cc: Serge E. Hallyn, lkml, Eric W. Biederman, Michael Kerrisk,
Dhaval Giani
* James Morris <jmorris@namei.org> wrote:
> On Mon, 8 Dec 2008, Serge E. Hallyn wrote:
>
> > Documented the currently bogus state of support for CFS user groups with
> > user namespaces. In particular, all users in a user namespace should be
> > children of the user which created the user namespace. This is yet to
> > be implemented.
> >
> > Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
> > Acked-by: Dhaval Giani <dhaval@linux.vnet.ibm.com>
> >
> > Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
>
> Applied.
hm, i'd rather carry these in the scheduler tree as we've got some
changes in this area already and because these are arguably scheduler
changes:
Documentation/scheduler/sched-design-CFS.txt | 21 +++++++++++++++++++++
kernel/user.c | 8 +++++++-
the incompleteness of CONFIG_USER_SCHED is not addressed yet.
Ok?
Ingo
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] user namespaces: document CFS behavior
2008-12-09 2:45 ` Ingo Molnar
@ 2008-12-09 9:05 ` James Morris
2008-12-09 10:08 ` Ingo Molnar
0 siblings, 1 reply; 9+ messages in thread
From: James Morris @ 2008-12-09 9:05 UTC (permalink / raw)
To: Ingo Molnar
Cc: Peter Zijlstra, Serge E. Hallyn, lkml, Eric W. Biederman,
Michael Kerrisk, Dhaval Giani
On Tue, 9 Dec 2008, Ingo Molnar wrote:
> hm, i'd rather carry these in the scheduler tree as we've got some
> changes in this area already and because these are arguably scheduler
> changes:
>
> Documentation/scheduler/sched-design-CFS.txt | 21 +++++++++++++++++++++
> kernel/user.c | 8 +++++++-
>
> the incompleteness of CONFIG_USER_SCHED is not addressed yet.
>
> Ok?
They're already published in my tree. Do you want me to revert them?
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] user namespaces: document CFS behavior
2008-12-09 9:05 ` James Morris
@ 2008-12-09 10:08 ` Ingo Molnar
2008-12-09 10:15 ` James Morris
0 siblings, 1 reply; 9+ messages in thread
From: Ingo Molnar @ 2008-12-09 10:08 UTC (permalink / raw)
To: James Morris
Cc: Peter Zijlstra, Serge E. Hallyn, lkml, Eric W. Biederman,
Michael Kerrisk, Dhaval Giani
* James Morris <jmorris@namei.org> wrote:
> On Tue, 9 Dec 2008, Ingo Molnar wrote:
>
> > hm, i'd rather carry these in the scheduler tree as we've got some
> > changes in this area already and because these are arguably scheduler
> > changes:
> >
> > Documentation/scheduler/sched-design-CFS.txt | 21 +++++++++++++++++++++
> > kernel/user.c | 8 +++++++-
> >
> > the incompleteness of CONFIG_USER_SCHED is not addressed yet.
> >
> > Ok?
>
> They're already published in my tree. Do you want me to revert them?
I've also got it published :-/ If it's at the tail of your commits, can
you reset it?
Ingo
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] user namespaces: document CFS behavior
2008-12-09 10:08 ` Ingo Molnar
@ 2008-12-09 10:15 ` James Morris
2008-12-09 16:16 ` Serge E. Hallyn
0 siblings, 1 reply; 9+ messages in thread
From: James Morris @ 2008-12-09 10:15 UTC (permalink / raw)
To: Ingo Molnar
Cc: Peter Zijlstra, Serge E. Hallyn, lkml, Eric W. Biederman,
Michael Kerrisk, Dhaval Giani
On Tue, 9 Dec 2008, Ingo Molnar wrote:
> > They're already published in my tree. Do you want me to revert them?
>
> I've also got it published :-/ If it's at the tail of your commits, can
> you reset it?
There have been commits since, and people are using the tree in any case.
- James
--
James Morris
<jmorris@namei.org>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] user namespaces: document CFS behavior
2008-12-09 10:15 ` James Morris
@ 2008-12-09 16:16 ` Serge E. Hallyn
2008-12-12 11:06 ` Ingo Molnar
0 siblings, 1 reply; 9+ messages in thread
From: Serge E. Hallyn @ 2008-12-09 16:16 UTC (permalink / raw)
To: James Morris
Cc: Ingo Molnar, Peter Zijlstra, lkml, Eric W. Biederman,
Michael Kerrisk, Dhaval Giani
Quoting James Morris (jmorris@namei.org):
> On Tue, 9 Dec 2008, Ingo Molnar wrote:
>
> > > They're already published in my tree. Do you want me to revert them?
> >
> > I've also got it published :-/ If it's at the tail of your commits, can
> > you reset it?
>
> There have been commits since, and people are using the tree in any case.
Yikes. Maybe it's best (henceforth) to keep user namespaces patches in
their own tree toward the end of linux-next? There certainly are
security implications with all of them, but other things (filesystem,
sched) will be impacted as well...
Sorry.
-serge
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH 1/1] user namespaces: document CFS behavior
2008-12-09 16:16 ` Serge E. Hallyn
@ 2008-12-12 11:06 ` Ingo Molnar
0 siblings, 0 replies; 9+ messages in thread
From: Ingo Molnar @ 2008-12-12 11:06 UTC (permalink / raw)
To: Serge E. Hallyn
Cc: James Morris, Peter Zijlstra, lkml, Eric W. Biederman,
Michael Kerrisk, Dhaval Giani
* Serge E. Hallyn <serue@us.ibm.com> wrote:
> Quoting James Morris (jmorris@namei.org):
> > On Tue, 9 Dec 2008, Ingo Molnar wrote:
> >
> > > > They're already published in my tree. Do you want me to revert them?
> > >
> > > I've also got it published :-/ If it's at the tail of your commits, can
> > > you reset it?
> >
> > There have been commits since, and people are using the tree in any case.
>
> Yikes. Maybe it's best (henceforth) to keep user namespaces patches in
> their own tree toward the end of linux-next? There certainly are
> security implications with all of them, but other things (filesystem,
> sched) will be impacted as well...
i'm fine with having this in James's tree - i didnt realize that you had
another commit that created dependencies.
(if such situations ever cause real damage then we can always create a
separate branch to track it cleanly. That's not needed now.)
Ingo
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2008-12-12 11:07 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-12-08 21:52 [PATCH 1/1] user namespaces: document CFS behavior Serge E. Hallyn
2008-12-08 22:27 ` James Morris
2008-12-08 22:44 ` Serge E. Hallyn
2008-12-09 2:45 ` Ingo Molnar
2008-12-09 9:05 ` James Morris
2008-12-09 10:08 ` Ingo Molnar
2008-12-09 10:15 ` James Morris
2008-12-09 16:16 ` Serge E. Hallyn
2008-12-12 11:06 ` Ingo Molnar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox