lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Thu, 12 Oct 2017 14:57:29 -0700 (PDT)
From:   David Rientjes <rientjes@...gle.com>
To:     Peter Zijlstra <peterz@...radead.org>
cc:     Roman Gushchin <guro@...com>, linux-kernel@...r.kernel.org,
        Tejun Heo <tj@...nel.org>, Oleg Nesterov <oleg@...hat.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Thomas Gleixner <tglx@...utronix.de>, Chris Mason <clm@...com>,
        kernel-team@...com
Subject: Re: [RFC 1/2] cgroup, kthread: do not allow moving kthreads out of
 the root cgroup

On Thu, 12 Oct 2017, Peter Zijlstra wrote:

> > Attaching kernel threads to a non-root cgroup is generally a bad
> > idea. Kernel threads are generally performing the work required
> > to keep the system working and healthy, and applying various
> > resource limits may affect system stability and performance.
> > 
> > Some examples of dangerous behavior are limiting CPU time available
> > to rcu stuff, memory limits applied to almost all kthreads, etc.
> > 
> > To prevent this dangerous behavior, let's deny all kthread
> > movements between cgroups. Right now only kthreads bounded
> > to CPUs are not allowed to move, which is not sufficient.
> > 
> > If there are examples of kthreads which can be limited,
> > and it's guaranteed to be safe, we can allow explicit
> > exceptions further.
> 
> The traditional use-case is stuffing all the unbound kthreads into a
> system cpuset in order to limit 'crap' on the rest of the CPUs.
> This setup is typically found in HPC and RT environments.
> 
> So NAK. This needs to stay working in as far as it still works.
> 

+1, I originally introduced PF_THREAD_BOUND to cpusets in 2008 to prevent 
migration threads and software watchdog threads from being able to access 
the cpus they work on.  We also move unbound kthreads to a system cpuset.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ