On Tue, Apr 27, 2021 at 11:51 PM Vasily Averin <vvs@xxxxxxxxxxxxx> wrote: > > OpenVZ uses memory accounting 20+ years since v2.2.x linux kernels. > Initially we used our own accounting subsystem, then partially committed > it to upstream, and a few years ago switched to cgroups v1. > Now we're rebasing again, revising our old patches and trying to push > them upstream. > > We try to protect the host system from any misuse of kernel memory > allocation triggered by untrusted users inside the containers. > > Patch-set is addressed mostly to cgroups maintainers and cgroups@ mailing > list, though I would be very grateful for any comments from maintainersi > of affected subsystems or other people added in cc: > > Compared to the upstream, we additionally account the following kernel objects: > - network devices and its Tx/Rx queues > - ipv4/v6 addresses and routing-related objects > - inet_bind_bucket cache objects > - VLAN group arrays > - ipv6/sit: ip_tunnel_prl > - scm_fp_list objects used by SCM_RIGHTS messages of Unix sockets > - nsproxy and namespace objects itself > - IPC objects: semaphores, message queues and share memory segments > - mounts > - pollfd and select bits arrays > - signals and posix timers > - file lock > - fasync_struct used by the file lease code and driver's fasync queues > - tty objects > - per-mm LDT > > We have an incorrect/incomplete/obsoleted accounting for few other kernel > objects: sk_filter, af_packets, netlink and xt_counters for iptables. > They require rework and probably will be dropped at all. > > Also we're going to add an accounting for nft, however it is not ready yet. > > We have not tested performance on upstream, however, our performance team > compares our current RHEL7-based production kernel and reports that > they are at least not worse as the according original RHEL7 kernel. > Hi Vasily, What's the status of this series? I see a couple patches did get acked/reviewed. Can you please re-send the series with updated ack tags? thanks, Shakeel
