On Mon, Oct 16, 2023 at 02:32:31PM -0700, Sean Christopherson wrote: > Genuinely curious, who is asking for EPC cgroup support that *isn't* running VMs? People who work with containers: [1], [2]. > AFAIK, these days, SGX is primarily targeted at cloud. I assume virtual EPC is > the primary use case for an EPC cgroup. The common setup is that a cloud VM instance with vEPC is created and then several SGX enclave containers are run simultaneously on that instance. EPC cgroups is used to ensure that each container gets their own share of EPC (and any attempts to go beyond the limit is reclaimed and charged from the container's memcg). The same containers w/ enclaves use case is applicable to baremetal also, though. As far as Kubernetes orchestrated containers are concerned, "in-place" resource scaling is still in very early stages which means that the cgroups values are adjusted by *re-creating* the container. The hierarchies are also built such that there's no mix of VMs w/ vEPC and enclaves in the same tree. Mikko [1] https://lore.kernel.org/linux-sgx/20221202183655.3767674-1-kristen@xxxxxxxxxxxxxxx/T/#m6d1c895534b4c0636f47c2d1620016b4c362bb9b [2] https://lore.kernel.org/linux-sgx/20221202183655.3767674-1-kristen@xxxxxxxxxxxxxxx/T/#m37600e457b832feee6e8346aa74dcff8f21965f8
