Hello, Aleksa. On Sat, May 28, 2016 at 03:12:16PM +1000, Aleksa Sarai wrote: > I see two options here, which would allow us to have subtree > delegation without losing hierarchical structure: > > 1. Don't enable subtree delegation on v1 hierarchies. This would be > the simplest solution, and would cut out most people from using this > feature today -- but it would mean less work around trying to figure > out which hierarchies are safe to delegate (we make it explicit that > when you enable a cgroup on v2 that it must be safe to delegate by an > unprivileged user). We also get the benefit of having the more strict > cgroup.procs write rules. > 2. Don't do subtree delegation on hierarchies that aren't > hierarchical. This would have to be done in collaboration with the > controllers (since cgroup core doesn't know which is hierarchical), > and would allow all users of cgroups today to get subtree delegation. Regardless of the above two, the proposed solution is too hacky and doesn't fit with the overall design. At the moment, I'm not sure the problem is worth solving. > >> > Why does an unpriv NS need to have cgroup delegated to it without > >> > cooperation from cgroup manager? > >> > >> There's actually many answers to this. The one I'm insterested in is > >> the ability for applications to make use of container features without > >> having to ask permission from some orchestration engine. The problem > > > > What's "container features"? Do you mean resource control by that? > > Yes. Also the device cgroup. And ignoring the container usecase, it > would be useful to regular programs if they could use cgroup resource > accounting as part of their regular operation. Regular processes can > use rlimits -- why can't they use cgroups without needing cooperation > from an admin process (which makes for security and administration > issues). The current VFS based interface simply isn't conducive to such usage. e.g. What if someone else relocates the process while it was trying to access its interface files? What if the permission or ownership changes beneath the process. > If I understand correctly, the security issues James is referring to > is that the cgroup manager could have a bug in it (and because the > cgroup interface is the filesystem, it would probably be some kind of > write-to-any-path bug). This is an intrinsic part of the model of "you > need to have cooperation with an admin process in order to use > resource limiting for your own processes". Sure, that's the inherent characteristic of the interface that cgroup ended up with. I'm not a big fan of it either but 1. it still is a workable model 2. adding mismatching hacks on top is highly likely to lead to interface disaster in the long term. Thanks. -- tejun -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
