On Wed, Jul 10, 2013 at 11:46:55AM -0700, Tejun Heo wrote: > Just wondering whether you're working on implementing new hierarchical > behavior on devcg. If so, can you please share some details on how > you're planning to do it? Please feel free to add the relevant > mailing lists when replying. I did start, but still dealing with lots of company internal tasks so I couldn't do much. One of the ideas is to start changing (again) how the rules are processed internally, moving away from the default policy + exceptions model to an ordered set of rules like iptables: default: allow/deny allow block major 100-101, all minors deny char major 200, all minors ... That will solve most complex use cases the current model won't [1] but the problem with this approach is that since it relies on order, merging would be a problem, and it'd have test each parent all the way to / to make sure the access is possible. [1] One example of usage the current model won't solve: - by default deny everything - allow c,200,* - but deny c,200,100 The second idea, which is simpler, will reuse the current internal model of default policy + exceptions and the idea in the initial patches of having two lists in each cgroup: active policy+exceptions and locally set policy+exceptions. This way for every change that happens in a parent (or even change of parents when moving the cgroup around), the active policy+exceptions will be regenerated. In both cases, we do need a new userspace interface (although we can still provide backwards compatibility with the old one). Comments? -- Aristeu _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
