lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 30 Dec 2010 02:57:31 -0600
From:	Rob Landley <rob@...dley.net>
To:	Mike Hommey <mh@...ndium.org>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: Containers and /proc/sys/vm/drop_caches

On Thu, Dec 30, 2010 at 1:59 AM, Mike Hommey <mh@...ndium.org> wrote:
> Hi,
>
> I noticed that from within a lxc container, writing "3" to
> /proc/sys/vm/drop_caches would flush the host page cache. That sounds a
> little dangerous for VPS offerings that would be based on lxc, as in one
> VPS instance root user could impact the overall performance of the host.

There's a containers@...r mailing list for this stuff, you might have better
luck asking there.

> I don't know about other containers but I've been told openvz isn't
> subject to this problem.

I've been coming up to speed on this area recently: openvz has a lot of stuff
that isn't in the main kernel, but it's based on an approach that didn't get
merged into the kernel (using new syscalls to control container stuff).

Instead Google's rewrite of sgi's cgroup stuff went in for process grouping
(based on the cgroup filesystem), and a half-dozen different types of
namespaces are based on flags to clone(), and various other filesystems
(proc, sys, devpts) grew some kind of -o newinstance flag (see
http://lkml.indiana.edu/hypermail//linux/kernel/1012.3/00777.html for a pending
example, although why they can't detect they're the first instance in
the current
container rather than containers having to be specially set up by the host, I
still don't understand yet)... and so on.

The rest of the stuff openvz does is still being redesigned to go into
vanilla based on those mechanisms.  It seems a bit like squashfs: vanilla should
be able to do this someday, but when it gets merged it may not be
compatible with
the out of tree version.  LXC is an attempt to make a userspace tool to drive
containers in the vanilla kernel.  It doesn't do half of what openvz does yet,
but they're working on it.

Rob
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ