From: Dhaval Giani <dhaval@linux.vnet.ibm.com>
To: Sudhir Kumar <skumar@linux.vnet.ibm.com>
Cc: Vivek Goyal <vgoyal@redhat.com>,
Kazunaga Ikeno <k-ikeno@ak.jp.nec.com>,
"'David Collier-Brown'" <davecb@sun.com>,
"'Peter Zijlstra'" <pzijlstr@redhat.com>,
"'Rik van Riel'" <riel@redhat.com>,
"'Thomas Graf'" <tgraf@redhat.com>,
"'linux kernel mailing list'" <linux-kernel@vger.kernel.org>,
"'Ulrich Drepper'" <drepper@redhat.com>,
"'Libcg Devel Mailing List'" <libcg-devel@lists.sourceforge.net>,
"'Morton Andrew Morton'" <akpm@linux-foundation.org>,
"'KAMEZAWA Hiroyuki'" <kamezawa.hiroyu@jp.fujitsu.com>
Subject: Re: [Libcg-devel] [RFC] How to handle the rules engine for cgroups
Date: Fri, 18 Jul 2008 13:42:53 +0530 [thread overview]
Message-ID: <20080718081253.GD16453@linux.vnet.ibm.com> (raw)
In-Reply-To: <20080717170717.GA3718@linux.vnet.ibm.com>
On Thu, Jul 17, 2008 at 10:37:17PM +0530, Sudhir Kumar wrote:
> On Thu, Jul 17, 2008 at 09:47:36AM -0400, Vivek Goyal wrote:
> > On Thu, Jul 17, 2008 at 04:05:17PM +0900, Kazunaga Ikeno wrote:
> > > Vivek Goyal wrote:
> > > > On Mon, Jul 14, 2008 at 10:44:43AM -0400, David Collier-Brown wrote:
> > > > > Vivek Goyal wrote:
> > > > >> If admin has decided to group applications and has written the rules for
> > > > >> it then applications should not know anything about grouping. So I think
> > > > >> application writing an script for being placed into the right group should
> > > > >> be out of question. Now how does an admin write a wrapper around existing
> > > > >> application without breaking anything else.
> > > > >
> > > > > In the Solaris world, processes are placed into cgroups (projects) by
> > > > > one of two mechanisms:
> > > > >
> > > > > 1) inheritance, with everything I create in my existing project.
> > > > > To get this started, there is a mechanism under login/getty/whatever
> > > > > reading the /etc/projects file and, for example, tossing user davecb
> > > > > into a "user.davecb" project.
> > > > >
> > > >
> > > > Placing the login sessions in right cgroup based on uid/gid rules is
> > > > probably easy as check needs to be placed only on system entry upon login
> > > > (Pam plugin should do). And after that any job started by the user
> > > > will automatically start in the same cgroup.
> > > >
> > > > > 2) explicit placement with newtask, which starts a program or moves
> > > > > a process into a project/cgroup
> > > > >
> > > >
> > > > explicit placement of task based on application type will be tricky.
> > > >
> > > > > I have a "bg" project which I use for limiting resource consumption of
> > > > > background jobs, and a background command which either starts or moves
> > > > > jobs, thusly:
> > > > >
> > > > > case "$1" in
> > > > > [0-9]*) # It's a pid
> > > > > newtask -p bg -c $1
> > > >
> > > > Ok, this is moving of tasks from one cgroup to other based on pid. This
> > > > is really easy to do through cgroup file system. Just a matter of writing
> > > > to task file.
> > > >
> > > > > ;;
> > > > > *) # It's a command-line
> > > > > newtask -p bg "$@" &
> > > > > ;;
> > > >
> > > > So here a user explicitly invokes the wrapper passing it the targeted
> > > > cgroup and the application to be launched in that cgroup. This should work
> > > > if there is a facility if user has created its own cgroups (lets say
> > > > under user controlled cgroup dir in the hierarchy) and user explicitly
> > > > wants to control the resources of applications under its dir. For example,
> > > >
> > > > /mnt/cgroup
> > > > | |
> > > > gid1 gid2
> > > > | | | |
> > > > uid1 uid2 uid3 uid4
> > > > | |
> > > > proj1 proj2
> > > >
> > > > Here probably admin can write the rules for how users are allocated the
> > > > resources and give ability to users to create subdirs under their cgroups
> > > > where users can create more cgroups and can do their own resource
> > > > management based on application tasks and place applications in the right
> > > > cgroup by writing wrappers as mentioned by you "newtask".
> > > >
> > > > But here there is no discrimination of application type by admin. Admin
> > > > controls resource divisions only based on uid/gid. And users can manage
> > > > applications within their user groups. In fact I am having hard time thinking
> > > > in what kind of scenarios, there is a need for an admin to control
> > > > resource based on application type? Do we really need setups like, on
> > > > a system databases should get network bandwidth of 30%. If yes, then
> > > > it becomes tricky where admin need to write a wrapper to place the task
> > > > in right cgroup without application/user knowing it.
> > >
> > > I think a wrapper (move to right group and calls exec) will run by user, not by admin.
> > > In explicit placement, user knows what a type of application he/she launch.
> > >
> > > /mnt/cgroup
> > > | |
> > > gid1 gid2
> > > | | | |
> > > uid1 uid2 uid3 uid4
> > > | |
> > > proj1 proj2
> > >
> >
> > This is the easy to handle situation and I am hoping it will work in many
> > of the cases.
>
> This solution seems ok but this looks only one part of the storey. Here
> the top level hierarchy is again user based(gid/uid). What if admin
> wants to manage the system resources per application basis? Say a big
> server in a university is being shared by everyone in the university for
> only 3 application
> 1. http server
> 2. browsing
> 3. computing
> In case the admin wants the system to be always available for computing,
> how should he utilize cgroups for managing the server resources among
> these applications ?
> Isn't such scenarios on the priority now?
We only have FS permissions to play around with. Therefore any hierarchy
we come up with will be uid/gid based. Such scenarios will be handled by
the administrator by ensuring the correct permissions are set for the
cgroup.
>
> >
> > Currently I am writting a patch for libcg which allows querying the
> > destination cgroup based on uid/gid and libcg will also migrate the
> > application there. I am also writing a pam plugin which will move
> > all the login sessions to respective cgroup (as mentioned by rule file).
> > Will also modify "init" so that all the system services to into cgroup
> > belonging to root.
> >
> > Once user is logged in and running into his resource group, he can manage
> > further subgroups at his own based on his application requirements (as you
> > mentioned proj1 and proj2 here).
> >
> > > [uid1/gid1]% newtask.sh proj1app
> > > ... proj1app run under /mnt/cgroup/gid1/uid1
> > >
> >
> > Yes, so if a user does not specifically launch an application targetted
> > for a particular cgroup, then it will run into default group for that
> > user (as specified by rule file). In this case under /mnt/cgroup/gid1/uid1.
> So in this user based approach if admin wants to run 4 major
> applications each one requiring say 15% cpu he needs to create 4
> different gids? Creation of a user account just for running an
> application does not look very flexible to me.
>
A lot of daemons run as specific users. Also its not a good idea to run
daemons/servers as root users. They should run as users who have limited
privileges. With such a model in place, Vivek's comments make sense and
might be the right way to go ahead.
Thanks,
--
regards,
Dhaval
next prev parent reply other threads:[~2008-07-18 8:13 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-01 19:11 [RFC] How to handle the rules engine for cgroups Vivek Goyal
2008-07-02 9:33 ` Kazunaga Ikeno
2008-07-03 1:19 ` KAMEZAWA Hiroyuki
2008-07-03 15:54 ` Vivek Goyal
2008-07-04 0:34 ` KAMEZAWA Hiroyuki
2008-07-04 3:17 ` Li Zefan
2008-07-08 9:35 ` Balbir Singh
2008-07-08 13:45 ` Vivek Goyal
2008-07-10 9:23 ` Paul Menage
2008-07-10 14:30 ` Vivek Goyal
2008-07-10 15:42 ` Dhaval Giani
2008-07-10 16:51 ` Paul Menage
2008-07-10 14:48 ` Rik van Riel
2008-07-10 15:40 ` Vivek Goyal
2008-07-10 15:56 ` Ulrich Drepper
2008-07-10 17:25 ` Rik van Riel
2008-07-10 17:39 ` Ulrich Drepper
2008-07-10 18:41 ` Vivek Goyal
2008-07-10 22:29 ` Ulrich Drepper
2008-07-11 0:55 ` KAMEZAWA Hiroyuki
2008-07-14 13:57 ` Vivek Goyal
2008-07-14 14:44 ` David Collier-Brown
2008-07-14 15:21 ` Vivek Goyal
2008-07-17 7:05 ` Kazunaga Ikeno
2008-07-17 13:47 ` Vivek Goyal
[not found] ` <20080717170717.GA3718@linux.vnet.ibm.com>
2008-07-18 8:12 ` Dhaval Giani [this message]
2008-07-18 20:12 ` [Libcg-devel] " Vivek Goyal
2008-08-17 10:33 ` [RFC] [PATCH -mm] cgroup: uid-based rules to add processes efficiently in the right cgroup Andrea Righi
2008-08-18 12:35 ` Vivek Goyal
2008-08-19 14:35 ` righi.andrea
2008-08-18 21:05 ` Paul Menage
2008-08-19 12:57 ` Vivek Goyal
2008-08-26 0:54 ` Paul Menage
2008-08-26 13:41 ` Vivek Goyal
2008-08-26 14:35 ` Balbir Singh
2008-08-26 15:04 ` David Collier-Brown
2008-08-26 16:00 ` Vivek Goyal
2008-08-26 16:32 ` David Collier-Brown
2008-08-26 16:08 ` Vivek Goyal
2008-09-04 18:25 ` Paul Menage
2008-08-19 15:12 ` righi.andrea
2008-08-26 0:55 ` Paul Menage
2008-07-14 15:07 ` Re: [RFC] How to handle the rules engine for cgroups kamezawa.hiroyu
2008-07-10 9:07 ` Paul Menage
2008-07-10 14:06 ` Vivek Goyal
2008-07-10 16:41 ` Paul Menage
2008-07-10 17:19 ` Vivek Goyal
2008-07-10 17:27 ` [Libcg-devel] " Dhaval Giani
2008-07-10 14:33 ` Vivek Goyal
2008-07-10 16:46 ` Paul Menage
2008-07-10 17:18 ` [Libcg-devel] " Dhaval Giani
2008-07-10 17:30 ` Paul Menage
2008-07-10 17:44 ` Dhaval Giani
2008-07-10 15:49 ` Dhaval Giani
2008-07-18 9:52 ` KAMEZAWA Hiroyuki
2008-07-18 15:46 ` Paul Menage
2008-07-18 16:39 ` Balbir Singh
2008-07-18 18:55 ` Vivek Goyal
2008-07-18 23:05 ` kamezawa.hiroyu
2008-07-18 23:10 ` kamezawa.hiroyu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080718081253.GD16453@linux.vnet.ibm.com \
--to=dhaval@linux.vnet.ibm.com \
--cc=akpm@linux-foundation.org \
--cc=davecb@sun.com \
--cc=drepper@redhat.com \
--cc=k-ikeno@ak.jp.nec.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=libcg-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=pzijlstr@redhat.com \
--cc=riel@redhat.com \
--cc=skumar@linux.vnet.ibm.com \
--cc=tgraf@redhat.com \
--cc=vgoyal@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).