From: ebiederm@xmission.com (Eric W. Biederman)
To: Kirill Korotaev <dev@sw.ru>
Cc: Linus Torvalds <torvalds@osdl.org>,
Hubertus Franke <frankeh@watson.ibm.com>,
Dave Hansen <haveblue@us.ibm.com>, Greg KH <greg@kroah.com>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
"Serge E. Hallyn" <serue@us.ibm.com>,
Arjan van de Ven <arjan@infradead.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Cedric Le Goater <clg@fr.ibm.com>
Subject: Re: RFC [patch 13/34] PID Virtualization Define new task_pid api
Date: Thu, 02 Feb 2006 08:51:46 -0700 [thread overview]
Message-ID: <m1vevxu5bh.fsf@ebiederm.dsl.xmission.com> (raw)
In-Reply-To: <43E2249D.8060608@sw.ru> (Kirill Korotaev's message of "Thu, 02 Feb 2006 18:26:21 +0300")
Kirill Korotaev <dev@sw.ru> writes:
>>>In fact this is almost what OpenVZ does for half a year, both containers and
>>>VPIDs.
>>>But it is very usefull to see process tree from host system. To be able to use
>>>std tools to manage containers from host (i.e. ps, kill, top, etc.). So it is
>>>much more convinient to have 2 pids. One globally unique, and one for
> container.
>> There are two issues here.
>> 1) Monitoring. (ps, top etc)
>> 2) Control (kill).
>> For monitoring you might need to patch ps/top a little but it is doable
> without
>> 2 pids.
>> For kill it is extremely rude to kill processes inside of a nested pid space.
>> There are other solutions to the problem.
> it is not always good idea to fix the tools everytime new functionality is
> involved. why do you think there are no more tools except for ps,top,kill? will
> you fix it all?
No. In my implementation the nested pid space has one pid that essentially
looks like a threaded process. So ps and top can see that something is there
but you aren't spammed with all of the pids. In addition for top the cpu utilization
for all of the pids are shown for that one pid (just like the thread group leader of
on a threaded process). So there is no confusion.
If you want the detailed information you can either chroot to an environment
where the appropriate version of /proc is available. Or you can modify your
tools.
> Another example, when you have problems in your VPS it is very convinient to
> attach with strace/gdb/etc from the host. Will you patch it as well?
>
> OpenVZ big advantage is this ease of administering compared to VM approach and
> it is not good idea to forbid this. If you have broken VM you have problems, in
> OpenVZ you have control over VPSs.
>
>> It is undesireable to make it too easy to communicate through the barrier
> because
>> then applications may start to take advantage of it and then depend on
>> it and you will have lost the isolation that the container gives you.
> in OpenVZ we have VPSs fully isolated between each other.
> But host system has access to some of VPS resources such as files, processes,
> etc. I understand your concern which is related to checkpointing, yeah?
There areas.
1) Checkpointing.
2) Isolation for security purposes.
There may be secrets that the sysadmin should not have access to.
3) Nesting of containers, (so they are general purpose and not special hacks).
The vserver way of solving some of these problems is to provide a way
to enter the guest. I would rather have some explicit operation that puts
you into the guest context so there is a single point where we can tackle
the nested security issues, than to have hundreds of places we have to
look at individually.
Eric
next prev parent reply other threads:[~2006-02-02 15:53 UTC|newest]
Thread overview: 136+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-17 14:32 RFC [patch 00/34] PID Virtualization Overview Serge Hallyn
2006-01-17 14:32 ` RFC [patch 01/34] PID Virtualization Change pid accesses: drivers Serge Hallyn
2006-01-17 14:33 ` RFC [patch 02/34] PID Virtualization Change pid accesses: most archs Serge Hallyn
2006-01-17 14:33 ` RFC [patch 03/34] PID Virtualization Change pid accesses: filesystems Serge Hallyn
2006-01-17 14:33 ` RFC [patch 04/34] PID Virtualization Change pid accesses: include/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 05/34] PID Virtualization Change pid accesses: ipc Serge Hallyn
2006-01-17 14:33 ` RFC [patch 06/34] PID Virtualization Change pid accesses: kernel/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 07/34] PID Virtualization Change pid accesses: lib/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 08/34] PID Virtualization Change pid accesses: mm/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 09/34] PID Virtualization Change pid accesses: net/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 10/34] PID Virtualization Change pid accesses: security/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 11/34] PID Virtualization Change pid accesses: sound/ Serge Hallyn
2006-01-17 14:33 ` RFC [patch 12/34] PID Virtualization Change pid accesses: ia64 and mips Serge Hallyn
2006-01-17 14:33 ` RFC [patch 13/34] PID Virtualization Define new task_pid api Serge Hallyn
2006-01-17 15:32 ` Arjan van de Ven
2006-01-17 15:56 ` Serge E. Hallyn
2006-01-17 16:02 ` Arjan van de Ven
2006-01-17 16:03 ` Alan Cox
2006-01-17 17:16 ` Kyle Moffett
2006-01-17 17:25 ` Dave Hansen
2006-01-18 4:54 ` Greg KH
2006-01-18 4:55 ` Greg KH
2006-01-18 16:23 ` Dave Hansen
2006-01-20 17:00 ` Eric W. Biederman
2006-01-20 20:18 ` Hubertus Franke
2006-01-21 10:25 ` Eric W. Biederman
2006-01-23 18:38 ` Hubertus Franke
2006-01-23 18:48 ` Eric W. Biederman
2006-01-21 14:42 ` Eric W. Biederman
2006-01-22 6:43 ` Kyle Moffett
2006-01-22 15:48 ` Eric W. Biederman
2006-01-22 15:55 ` Arjan van de Ven
2006-01-22 16:24 ` Eric W. Biederman
2006-01-26 20:01 ` Herbert Poetzl
2006-01-27 9:04 ` Eric W. Biederman
2006-01-27 12:27 ` Kyle Moffett
2006-01-27 13:15 ` Eric W. Biederman
2006-01-23 18:50 ` Hubertus Franke
2006-01-23 19:28 ` Eric W. Biederman
2006-01-23 21:11 ` Alan Cox
2006-01-23 21:30 ` Eric W. Biederman
2006-01-23 22:15 ` Hubertus Franke
2006-01-24 6:56 ` Arjan van de Ven
2006-01-24 19:34 ` Eric W. Biederman
2006-01-24 21:09 ` Hubertus Franke
2006-01-24 0:22 ` Alan Cox
2006-01-24 19:26 ` Eric W. Biederman
2006-01-24 21:11 ` Alan Cox
2006-01-24 21:15 ` Arjan van de Ven
2006-01-25 9:58 ` Eric W. Biederman
2006-01-25 15:10 ` Trond Myklebust
2006-01-25 18:01 ` Eric W. Biederman
2006-01-25 19:30 ` Trond Myklebust
2006-01-25 21:59 ` Eric W. Biederman
2006-01-25 9:13 ` Eric W. Biederman
2006-01-25 9:51 ` Eric W. Biederman
2006-01-26 20:23 ` Herbert Poetzl
2006-01-27 8:28 ` Eric W. Biederman
[not found] ` <m1k6cqlmfe.fsf_-_@ebiederm.dsl.xmission.com>
2006-01-23 21:57 ` RFC: [PATCH] pids as weak references Dave Hansen
2006-01-31 21:02 ` RFC [patch 13/34] PID Virtualization Define new task_pid api Linus Torvalds
2006-02-01 0:01 ` Hubertus Franke
2006-02-01 4:18 ` Eric W. Biederman
2006-02-01 4:39 ` Linus Torvalds
2006-02-01 7:14 ` Eric W. Biederman
2006-02-01 16:41 ` Dave Hansen
2006-02-02 5:14 ` Herbert Poetzl
2006-02-01 16:29 ` Greg
2006-02-01 16:44 ` Eric W. Biederman
2006-02-02 13:50 ` Greg
2006-02-02 14:09 ` Eric W. Biederman
2006-02-02 14:48 ` Kirill Korotaev
2006-02-02 15:13 ` Eric W. Biederman
2006-02-02 15:26 ` Kirill Korotaev
2006-02-02 15:51 ` Eric W. Biederman [this message]
2006-02-02 16:05 ` Kirill Korotaev
2006-02-02 16:27 ` Eric W. Biederman
2006-02-02 21:32 ` Cedric Le Goater
2006-02-02 21:43 ` Hubertus Franke
2006-02-02 21:46 ` Eric W. Biederman
2006-02-03 10:07 ` Kirill Korotaev
2006-02-03 10:52 ` Kirill Korotaev
2006-02-03 11:09 ` Eric W. Biederman
2006-02-03 15:45 ` Dave Hansen
2006-02-03 16:35 ` Kirill Korotaev
2006-02-02 21:10 ` Cedric Le Goater
2006-02-02 21:24 ` Eric W. Biederman
2006-02-06 20:15 ` Pavel Machek
2006-02-06 20:34 ` Eric W. Biederman
2006-02-06 20:36 ` Kirill Korotaev
2006-02-06 20:40 ` Eric W. Biederman
2006-02-02 14:49 ` Kirill Korotaev
2006-01-17 14:33 ` RFC [patch 14/34] PID Virtualization const parameter for process group Serge Hallyn
2006-01-17 14:33 ` RFC [patch 15/34] PID Virtualization task virtual pid access functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 16/34] PID Virtualization return virtual pids where required Serge Hallyn
2006-01-17 14:33 ` RFC [patch 17/34] PID Virtualization return virtual process group ids Serge Hallyn
2006-01-17 14:33 ` RFC [patch 18/34] PID Virtualization code enhancements for virtual pids in /proc Serge Hallyn
2006-01-17 14:33 ` RFC [patch 19/34] PID Virtualization Define pid_to_vpid functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 20/34] PID Virtualization Use pid_to_vpid conversion functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 21/34] PID Virtualization file owner pid virtualization Serge Hallyn
2006-01-17 14:33 ` RFC [patch 22/34] PID Virtualization define vpid_to_pid functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 23/34] PID Virtualization Use " Serge Hallyn
2006-01-17 14:33 ` RFC [patch 24/34] PID Virtualization use vpgid_to_pgid function Serge Hallyn
2006-01-17 14:33 ` RFC [patch 25/34] PID Virtualization Context for pid_to_vpid conversition functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 26/34] PID Virtualization Documentation Serge Hallyn
2006-01-17 14:33 ` RFC [patch 27/34] PID Virtualization pidspace Serge Hallyn
2006-01-17 14:33 ` RFC [patch 28/34] PID Virtualization container object and functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 29/34] PID Virtualization container attach/detach calls Serge Hallyn
2006-01-17 14:33 ` RFC [patch 30/34] PID Virtualization /proc/container filesystem Serge Hallyn
2006-01-17 14:33 ` RFC [patch 31/34] PID Virtualization Implementation of low level virtualization functions Serge Hallyn
2006-01-17 14:33 ` RFC [patch 32/34] PID Virtualization Handle special case vpid return cases Serge Hallyn
2006-01-17 14:33 ` RFC [patch 33/34] PID Virtualization per container /proc filesystem Serge Hallyn
2006-01-17 14:33 ` RFC [patch 34/34] PID Virtualization pidspace parent : signal behavior Serge Hallyn
2006-01-17 16:19 ` RFC [patch 00/34] PID Virtualization Overview Suleiman Souhlal
2006-01-17 17:08 ` Dave Hansen
2006-01-17 18:09 ` Suleiman Souhlal
2006-01-17 18:12 ` Dave Hansen
2006-01-17 18:29 ` Alan Cox
2006-01-18 19:01 ` Dave Hansen
2006-01-18 19:28 ` Arjan van de Ven
2006-01-18 19:38 ` Dave Hansen
2006-01-18 19:50 ` Arjan van de Ven
2006-01-18 22:54 ` Alan Cox
2006-01-19 7:15 ` Arjan van de Ven
2006-01-20 5:11 ` Eric W. Biederman
2006-01-20 20:23 ` Serge E. Hallyn
2006-01-20 20:33 ` Hubertus Franke
2006-01-21 10:34 ` Eric W. Biederman
2006-01-20 19:53 ` RFC: Multiple instances of kernel namespaces Eric W. Biederman
2006-01-20 20:13 ` Serge E. Hallyn
2006-01-20 20:22 ` Hubertus Franke
[not found] ` <20060120203555.GC13265@sergelap.austin.ibm.com>
2006-01-20 21:47 ` Hubertus Franke
2006-01-21 10:04 ` Eric W. Biederman
2006-01-26 19:47 ` Herbert Poetzl
2006-01-26 20:13 ` Eric W. Biederman
2006-01-26 20:27 ` Herbert Poetzl
2006-01-21 10:31 ` RFC [patch 00/34] PID Virtualization Overview Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1vevxu5bh.fsf@ebiederm.dsl.xmission.com \
--to=ebiederm@xmission.com \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=clg@fr.ibm.com \
--cc=dev@sw.ru \
--cc=frankeh@watson.ibm.com \
--cc=greg@kroah.com \
--cc=haveblue@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=serue@us.ibm.com \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).