On Wed, Feb 20, 2019 at 10:37:32AM -0700, Parav Pandit wrote: > > > > From: Doug Ledford <dledford@xxxxxxxxxx> > > Sent: Wednesday, February 20, 2019 11:29 AM > > To: Leon Romanovsky <leon@xxxxxxxxxx>; Jason Gunthorpe > > <jgg@xxxxxxxxxxxx> > > Cc: Leon Romanovsky <leonro@xxxxxxxxxxxx>; RDMA mailing list <linux- > > rdma@xxxxxxxxxxxxxxx>; Parav Pandit <parav@xxxxxxxxxxxx> > > Subject: Re: [PATCH rdma-next 5/5] RDMA/core: Add command to set > > ib_core device net namspace sharing mode > > > > On Wed, 2019-02-13 at 19:29 +0200, Leon Romanovsky wrote: > > > Add netlink command that enables/disables sharing rdma device among > > > multiple net namespaces. > > > > > > Using rdma tool, > > > $rdma sys set netns shared (default mode) > > > > > > When rdma subsystem netns mode is set to shared mode, rdma devices > > > will be accessible in all net namespaces. > > > > > > Using rdma tool, > > > $rdma sys set netns exclusive > > > > > > When rdma subsystem netns mode is set to exclusive mode, devices will > > > be accessible in only one net namespace at any given point of time. > > > Any rdma resources created or in-use before netns mode set to > > > exclusive, will remain in shared mode, in other words, changing netns > > > mode to exclusive or shared has no effect on already open devices. > > > > But what if we *want* it to disconnect running apps that are violating > > namespace? Let's say for instance that a machine boots up with namespace > > shared enabled (by accident, maybe it booted from an old initrd image or > > something), and apps start leaking across namespaces willy nilly, and the > > admin goes "Oh crap!" and wants to lock things down? > > > > I have a possible solution in mind that would enable this, but I need to go > > read your other patchset to see if I'm way off base. > > > We can possibly do same what we do for rdma net namespace change function. > i.e. to unregister clients and re-register. > This will terminate the traffic and start clean after mode is set to exclusive. It does make sense, and it fits the enable/disable flow nicely. Although it means that executing this command wrecks all the kernel objects like ipoib setup for instance. So it really can't be used except during very early boot. We'd realy need a module option to set the default in this case. Jason
