From: Vivek Goyal <vgoyal@redhat.com>
To: Paul Menage <menage@google.com>
Cc: righi.andrea@gmail.com,
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>,
Balbir Singh <balbir@linux.vnet.ibm.com>,
linux kernel mailing list <linux-kernel@vger.kernel.org>,
Dhaval Giani <dhaval@linux.vnet.ibm.com>,
Kazunaga Ikeno <k-ikeno@ak.jp.nec.com>,
Morton Andrew Morton <akpm@linux-foundation.org>,
Thomas Graf <tgraf@redhat.com>,
Ulrich Drepper <drepper@redhat.com>
Subject: Re: [RFC] [PATCH -mm] cgroup: uid-based rules to add processes efficiently in the right cgroup
Date: Tue, 19 Aug 2008 08:57:10 -0400 [thread overview]
Message-ID: <20080819125710.GA18972@redhat.com> (raw)
In-Reply-To: <6599ad830808181405i3ec1f9fdp4d8ca7ab675b2c5f@mail.gmail.com>
On Mon, Aug 18, 2008 at 02:05:36PM -0700, Paul Menage wrote:
> On Sun, Aug 17, 2008 at 3:33 AM, Andrea Righi <righi.andrea@gmail.com> wrote:
> >
> > [ I wrote this patch for a "special purpose" environment, where a lot of
> > short-lived processes belonging to different users are spawned by
> > different daemons,
>
> What kinds of daemons are these? Is it not possible to add some
> libcgroup calls to these daemons?
>
> I'm reluctant to add features like this to the kernel side of cgroups
> due to their "magical" nature - any task that does a setuid() now
> risks being swept off into a different cgroup.
>
> Having the cgroup attachment done explicitly e.g. by a PAM library at
> login time is much less likely to cause unexpected behaviour.
>
> Maybe if we had a way to control which tasks the magical setuid
> switching occurs for, it might be more acceptable. (Perhaps base it on
> the cgroup of the task that's doing the setuid as well?
Hi Paul,
Same thing will happen if we implement the daemon in user space. A task
who does seteuid(), can be swept away to a different cgroup based on
rules specified in /etc/cgrules.conf.
What do you mean by risk? This is the policy set up by system admin and
behaviour would seem consistent as per the policy. If an admin decides
that tasks of user "apache" should run into /container/cpu/apache cgroup and
if a "root" tasks does seteuid(apache), then it manes sense to move task
to /container/cpu/apache.
Exactly what kind of scenario do you have in mind when you want the policy
to be enforced selectively based on task (tid)?
Thanks
Vivek
next prev parent reply other threads:[~2008-08-19 13:00 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-07-01 19:11 [RFC] How to handle the rules engine for cgroups Vivek Goyal
2008-07-02 9:33 ` Kazunaga Ikeno
2008-07-03 1:19 ` KAMEZAWA Hiroyuki
2008-07-03 15:54 ` Vivek Goyal
2008-07-04 0:34 ` KAMEZAWA Hiroyuki
2008-07-04 3:17 ` Li Zefan
2008-07-08 9:35 ` Balbir Singh
2008-07-08 13:45 ` Vivek Goyal
2008-07-10 9:23 ` Paul Menage
2008-07-10 14:30 ` Vivek Goyal
2008-07-10 15:42 ` Dhaval Giani
2008-07-10 16:51 ` Paul Menage
2008-07-10 14:48 ` Rik van Riel
2008-07-10 15:40 ` Vivek Goyal
2008-07-10 15:56 ` Ulrich Drepper
2008-07-10 17:25 ` Rik van Riel
2008-07-10 17:39 ` Ulrich Drepper
2008-07-10 18:41 ` Vivek Goyal
2008-07-10 22:29 ` Ulrich Drepper
2008-07-11 0:55 ` KAMEZAWA Hiroyuki
2008-07-14 13:57 ` Vivek Goyal
2008-07-14 14:44 ` David Collier-Brown
2008-07-14 15:21 ` Vivek Goyal
2008-07-17 7:05 ` Kazunaga Ikeno
2008-07-17 13:47 ` Vivek Goyal
[not found] ` <20080717170717.GA3718@linux.vnet.ibm.com>
2008-07-18 8:12 ` [Libcg-devel] " Dhaval Giani
2008-07-18 20:12 ` Vivek Goyal
2008-08-17 10:33 ` [RFC] [PATCH -mm] cgroup: uid-based rules to add processes efficiently in the right cgroup Andrea Righi
2008-08-18 12:35 ` Vivek Goyal
2008-08-19 14:35 ` righi.andrea
2008-08-18 21:05 ` Paul Menage
2008-08-19 12:57 ` Vivek Goyal [this message]
2008-08-26 0:54 ` Paul Menage
2008-08-26 13:41 ` Vivek Goyal
2008-08-26 14:35 ` Balbir Singh
2008-08-26 15:04 ` David Collier-Brown
2008-08-26 16:00 ` Vivek Goyal
2008-08-26 16:32 ` David Collier-Brown
2008-08-26 16:08 ` Vivek Goyal
2008-09-04 18:25 ` Paul Menage
2008-08-19 15:12 ` righi.andrea
2008-08-26 0:55 ` Paul Menage
2008-07-14 15:07 ` Re: [RFC] How to handle the rules engine for cgroups kamezawa.hiroyu
2008-07-10 9:07 ` Paul Menage
2008-07-10 14:06 ` Vivek Goyal
2008-07-10 16:41 ` Paul Menage
2008-07-10 17:19 ` Vivek Goyal
2008-07-10 17:27 ` [Libcg-devel] " Dhaval Giani
2008-07-10 14:33 ` Vivek Goyal
2008-07-10 16:46 ` Paul Menage
2008-07-10 17:18 ` [Libcg-devel] " Dhaval Giani
2008-07-10 17:30 ` Paul Menage
2008-07-10 17:44 ` Dhaval Giani
2008-07-10 15:49 ` Dhaval Giani
2008-07-18 9:52 ` KAMEZAWA Hiroyuki
2008-07-18 15:46 ` Paul Menage
2008-07-18 16:39 ` Balbir Singh
2008-07-18 18:55 ` Vivek Goyal
2008-07-18 23:05 ` kamezawa.hiroyu
2008-07-18 23:10 ` kamezawa.hiroyu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080819125710.GA18972@redhat.com \
--to=vgoyal@redhat.com \
--cc=akpm@linux-foundation.org \
--cc=balbir@linux.vnet.ibm.com \
--cc=dhaval@linux.vnet.ibm.com \
--cc=drepper@redhat.com \
--cc=k-ikeno@ak.jp.nec.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=menage@google.com \
--cc=righi.andrea@gmail.com \
--cc=tgraf@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).