On Mon, Feb 06, 2023 at 01:25:33PM -1000, Tejun Heo wrote: > On Mon, Feb 06, 2023 at 02:39:17PM -0800, Yosry Ahmed wrote: > > On Mon, Feb 6, 2023 at 2:36 PM Tejun Heo <tj@xxxxxxxxxx> wrote: > > > > > > On Mon, Feb 06, 2023 at 02:32:10PM -0800, Yosry Ahmed wrote: > > > > I guess it boils down to which we want: > > > > (a) Limit the amount of memory processes in a cgroup can be pinned/locked. > > > > (b) Limit the amount of memory charged to a cgroup that can be pinned/locked. > > > > > > > > The proposal is doing (a), I suppose if this was part of memcg it > > > > would be (b), right? > > > > > > > > I am not saying it should be one or the other, I am just making sure > > > > my understanding is clear. > > > > > > I don't quite understand what the distinction would mean in practice. It's > > > just odd to put locked memory in a separate controller from interface POV. > > > > Assume we have 2 cgroups, A and B. A process in cgroup A creates a > > tmpfs file and writes to it, so the memory is now charged to cgroup A. > > Now imagine a process in cgroup B tries to lock this memory. > > - With (a) the amount of locked memory will count toward's cgroup A's > > limit, because cgroup A is charged for the memory. > > - With (b) the amount of locked memory will count toward's cgroup B's > > limit, because a process in cgroup B is locking the memory. > > > > I agree that it is confusing from an interface POV. > > Oh yeah, that's confusing. I'd go with (a) for consistency with the rest of > memcg - locked memory should fit inside e.g. memory.max. The problem with > shared memory accounting exists for non-locked memory as well and prolly > best to handle the same way rather than handling differently. (a) kind of destroys the point of this as a sandboxing tool It is not so harmful to use memory that someone else has been charged with allocating. But it is harmful to pin memory if someone else is charged for the pin. It means it is unpredictable how much memory a sandbox can actually lock down. Plus we have the double accounting problem, if 1000 processes in different cgroups open the tmpfs and all pin the memory then cgroup A will be charged 1000x for the memory and hit its limit, possibly creating a DOS from less priv to more priv Jason
