On Thu, Jun 23, 2022 at 02:44:33PM -0400, Waiman Long <longman@xxxxxxxxxx> wrote: > That could be an issue. The way how I understand here is that the privileged process isn't part of contrained workload (if it were then, it can modify cpuset itself) like debugging or tracing a code within a container entered by the admin. The bypass could not be used to setscheduler (via migration) of an arbitrary process. > What do you mean by nothing effectively changes? It's a freshly created child (after cpuset_css_online()), so it inherits parent's attributes, so the migration from the parent to this child doesn't affect CPU affinity etc. > Since the check is done on a taskset level, if only one of the tasks in the > taskset fails, the whole taskset fails. Maybe we should consider an option > for task based migration. So all the tasks that can be migrated will be > migrated and the rests will be left behind in the original cpuset. Hm, I haven't thought about that. That might be in theory possible for threaded controllers (like cpuset) but I imagine it'd a bit messy, in particular for these implicit migrations upon controller enablement. Thanks, Michal
Attachment:
signature.asc
Description: Digital signature
