From: Waiman Long <longman@redhat.com> To: "Michal Koutný" <mkoutny@suse.com>, cgroups@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Tejun Heo <tj@kernel.org>, Zefan Li <lizefan.x@bytedance.com>, Johannes Weiner <hannes@cmpxchg.org> Subject: Re: [RFC PATCH] cpuset: Allow setscheduler regardless of manipulated task Date: Thu, 23 Jun 2022 14:44:33 -0400 [thread overview] Message-ID: <ab4bcd51-83c5-ae21-ddf6-607a31a7d6ac@redhat.com> (raw) In-Reply-To: <20220623124944.2753-1-mkoutny@suse.com> On 6/23/22 08:49, Michal Koutný wrote: > When we migrate a task between two cgroups, one of the checks is a > verification that we can modify task's scheduler settings > (cap_task_setscheduler()). > > An implicit migration occurs also when enabling a controller on the > unified hierarchy (think of parent to child migration). The > aforementioned check may be problematic if the caller of the migration > (enabling a controller) has no permissions over migrated tasks. > For instance, user's cgroup that ends up running a process of a > different user. Although cgroup permissions are configured favorably, > the enablement fails due to the foreign process [1]. > > Change the behavior by relaxing the permissions check on the unified > hierarchy (or in v2 mode). This is in accordance with unified hierarchy > attachment behavior when permissions of the source to target cgroups are > decisive whereas the migrated task is opaque (for contrast, see more > restrictive check in __cgroup1_procs_write()). > > [1] https://github.com/systemd/systemd/issues/18293#issuecomment-831205649 > > Reasons for RFC: > > 1) The unified hierarchy attachment behavior -- is that the > right/consented model that migrated objects don't matter? > > 2) If 1) is true, have I missed any danger in allowing cpuset'ing a > possibly privileged processes? That could be an issue. > 2.2) cpuset may be in v2 mode even on v1 hierarchy with different > migration control rules (but checking migratee's creds in v1 > eliminates effect of this patch). > > 3) Alternative approach would be to allow cpuset migrations only when > nothing effectively changes (which is the case for parent->child > migration upon controller enablement). What do you mean by nothing effectively changes? > > 4) This is just idea draft, not tested in the real case. Since the check is done on a taskset level, if only one of the tasks in the taskset fails, the whole taskset fails. Maybe we should consider an option for task based migration. So all the tasks that can be migrated will be migrated and the rests will be left behind in the original cpuset. Just a thought. Cheers, Longman
WARNING: multiple messages have this Message-ID (diff)
From: Waiman Long <longman-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> To: "Michal Koutný" <mkoutny-IBi9RG/b67k@public.gmane.org>, cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org, linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Cc: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>, Zefan Li <lizefan.x-EC8Uxl6Npydl57MIdRCFDg@public.gmane.org>, Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org> Subject: Re: [RFC PATCH] cpuset: Allow setscheduler regardless of manipulated task Date: Thu, 23 Jun 2022 14:44:33 -0400 [thread overview] Message-ID: <ab4bcd51-83c5-ae21-ddf6-607a31a7d6ac@redhat.com> (raw) In-Reply-To: <20220623124944.2753-1-mkoutny-IBi9RG/b67k@public.gmane.org> On 6/23/22 08:49, Michal Koutný wrote: > When we migrate a task between two cgroups, one of the checks is a > verification that we can modify task's scheduler settings > (cap_task_setscheduler()). > > An implicit migration occurs also when enabling a controller on the > unified hierarchy (think of parent to child migration). The > aforementioned check may be problematic if the caller of the migration > (enabling a controller) has no permissions over migrated tasks. > For instance, user's cgroup that ends up running a process of a > different user. Although cgroup permissions are configured favorably, > the enablement fails due to the foreign process [1]. > > Change the behavior by relaxing the permissions check on the unified > hierarchy (or in v2 mode). This is in accordance with unified hierarchy > attachment behavior when permissions of the source to target cgroups are > decisive whereas the migrated task is opaque (for contrast, see more > restrictive check in __cgroup1_procs_write()). > > [1] https://github.com/systemd/systemd/issues/18293#issuecomment-831205649 > > Reasons for RFC: > > 1) The unified hierarchy attachment behavior -- is that the > right/consented model that migrated objects don't matter? > > 2) If 1) is true, have I missed any danger in allowing cpuset'ing a > possibly privileged processes? That could be an issue. > 2.2) cpuset may be in v2 mode even on v1 hierarchy with different > migration control rules (but checking migratee's creds in v1 > eliminates effect of this patch). > > 3) Alternative approach would be to allow cpuset migrations only when > nothing effectively changes (which is the case for parent->child > migration upon controller enablement). What do you mean by nothing effectively changes? > > 4) This is just idea draft, not tested in the real case. Since the check is done on a taskset level, if only one of the tasks in the taskset fails, the whole taskset fails. Maybe we should consider an option for task based migration. So all the tasks that can be migrated will be migrated and the rests will be left behind in the original cpuset. Just a thought. Cheers, Longman
next prev parent reply other threads:[~2022-06-23 19:26 UTC|newest] Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-06-23 12:49 [RFC PATCH] cpuset: Allow setscheduler regardless of manipulated task Michal Koutný 2022-06-23 12:49 ` Michal Koutný 2022-06-23 18:44 ` Waiman Long [this message] 2022-06-23 18:44 ` Waiman Long 2022-06-24 12:43 ` Michal Koutný 2022-06-24 12:43 ` Michal Koutný 2022-06-25 4:20 ` Tejun Heo 2022-06-25 4:20 ` Tejun Heo
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=ab4bcd51-83c5-ae21-ddf6-607a31a7d6ac@redhat.com \ --to=longman@redhat.com \ --cc=cgroups@vger.kernel.org \ --cc=hannes@cmpxchg.org \ --cc=linux-kernel@vger.kernel.org \ --cc=lizefan.x@bytedance.com \ --cc=mkoutny@suse.com \ --cc=tj@kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.