From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Paris Subject: Re: [PATCH v4 0/3] Send audit/procinfo/cgroup data in socket-level control message Date: Wed, 15 Jan 2014 18:21:43 -0500 Message-ID: <1389828103.681.34.camel@flatline.rdu.redhat.com> References: <1377614400-27122-1-git-send-email-jkaluza@redhat.com> <1389600109-30739-1-git-send-email-jkaluza@redhat.com> <20140115.121730.1984913330507219167.davem@davemloft.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: jkaluza-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, rgb-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org, netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, viro-RmSDqhL/yNMiFSDQTTA3OLVCufUGDwFn@public.gmane.org, tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org, cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org To: David Miller Return-path: In-Reply-To: <20140115.121730.1984913330507219167.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org List-Id: netdev.vger.kernel.org On Wed, 2014-01-15 at 12:17 -0800, David Miller wrote: > From: Jan Kaluza > Date: Mon, 13 Jan 2014 09:01:46 +0100 > > > Changes introduced in this patchset can also increase performance > > of such server-like processes, because current way of opening and > > parsing /proc/$PID/* files is much more expensive than receiving these > > metadata using SCM. > > The problem with this line of reasoning is that these changes will > hurt everyone else, because these new control messages are sent > unconditionally, whether the application is interested in them or not. > > I really don't like this cost tradeoff, it's terrible, and therefore > I'm really not inclined to apply these patches, sorry. Agreed. Although you seem to be ignoring the part of the logic where is solves a problem that can not be solved today. > The current practice to retrieve such process metadata is to look that > information up in procfs with the $PID received over SCM_CREDENTIALS. > This is sufficient for long-running tasks, but introduces a race which > cannot be worked around for short-living processes; the calling > process and all the information in /proc/$PID/ is gone before the > receiver of the socket message can look it up. Reliably being able to audit what process requested an action is extremely useful. And I like the audit patch, as it is a couple of ints we are storing. procinfo and cgroup can both be up to 4k of data. Is there an alternative he should consider? Some way to grab a reference on task_struct and just attach that to the message?