> -----Original Message----- > From: Doug Ledford <dledford@xxxxxxxxxx> > Sent: Wednesday, February 20, 2019 11:29 AM > To: Leon Romanovsky <leon@xxxxxxxxxx>; Jason Gunthorpe > <jgg@xxxxxxxxxxxx> > Cc: Leon Romanovsky <leonro@xxxxxxxxxxxx>; RDMA mailing list <linux- > rdma@xxxxxxxxxxxxxxx>; Parav Pandit <parav@xxxxxxxxxxxx> > Subject: Re: [PATCH rdma-next 5/5] RDMA/core: Add command to set > ib_core device net namspace sharing mode > > On Wed, 2019-02-13 at 19:29 +0200, Leon Romanovsky wrote: > > Add netlink command that enables/disables sharing rdma device among > > multiple net namespaces. > > > > Using rdma tool, > > $rdma sys set netns shared (default mode) > > > > When rdma subsystem netns mode is set to shared mode, rdma devices > > will be accessible in all net namespaces. > > > > Using rdma tool, > > $rdma sys set netns exclusive > > > > When rdma subsystem netns mode is set to exclusive mode, devices will > > be accessible in only one net namespace at any given point of time. > > Any rdma resources created or in-use before netns mode set to > > exclusive, will remain in shared mode, in other words, changing netns > > mode to exclusive or shared has no effect on already open devices. > > But what if we *want* it to disconnect running apps that are violating > namespace? Let's say for instance that a machine boots up with namespace > shared enabled (by accident, maybe it booted from an old initrd image or > something), and apps start leaking across namespaces willy nilly, and the > admin goes "Oh crap!" and wants to lock things down? > > I have a possible solution in mind that would enable this, but I need to go > read your other patchset to see if I'm way off base. > We can possibly do same what we do for rdma net namespace change function. i.e. to unregister clients and re-register. This will terminate the traffic and start clean after mode is set to exclusive.
