| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1158020939.12947.129.camel@galaxy.corp.google.com> Date: Mon, 11 Sep 2006 17:28:58 -0700 From: Rohit Seth <rohitseth@...gle.com> To: Kir Kolyshkin <kir@...nvz.org> Cc: devel@...nvz.org, sekharan@...ibm.com, Rik van Riel <riel@...hat.com>, Srivatsa <vatsa@...ibm.com>, CKRM-Tech <ckrm-tech@...ts.sourceforge.net>, balbir@...ibm.com, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, Andi Kleen <ak@...e.de>, Christoph Hellwig <hch@...radead.org>, Andrey Savochkin <saw@...ru>, Matt Helsley <matthltc@...ibm.com>, Hugh Dickins <hugh@...itas.com>, Alexey Dobriyan <adobriyan@...l.ru>, Oleg Nesterov <oleg@...sign.ru>, Alan Cox <alan@...rguk.ukuu.org.uk> Subject: Re: [Devel] Re: [ckrm-tech] [PATCH] BC: resource beancounters (v4) (added user memory) On Mon, 2006-09-11 at 23:48 +0400, Kir Kolyshkin wrote: > Rohit Seth wrote: > > On Mon, 2006-09-11 at 11:25 -0700, Chandra Seetharaman wrote: > > > >> On Fri, 2006-09-08 at 14:43 -0700, Rohit Seth wrote: > >> <snip> > >> > >> > >>>>> Guarantee may be one of > >>>>> > >>>>> 1. container will be able to touch that number of pages > >>>>> 2. container will be able to sys_mmap() that number of pages > >>>>> 3. container will not be killed unless it touches that number of pages > >>>>> 4. anything else > >>>>> > >>>> I would say (1) with slight modification > >>>> "container will be able to touch _at least_ that number of pages" > >>>> > >>>> > >>> Does this scheme support running of tasks outside of containers on the > >>> same platform where you have tasks running inside containers. If so > >>> then how will you ensure processes running out side any container will > >>> not leave less than the total guaranteed memory to different containers. > >>> > >>> > >> There could be a default container which doesn't have any guarantee or > >> limit. > >> > > > > First, I think it is critical that we allow processes to run outside of > > any container (unless we know for sure that the penalty of running a > > process inside a container is very very minimal). > > > (1) there is a set of processes running outside of any container. In > OpenVZ we call that "VE0" or "host system", probably Chandra meant that > by "default container". > (2) The host system is used to manage the containers (start/stop/set > parameters/create/destroy). > (3) the penalty of running a process inside a container is indeed very low. > > > And anything running outside a container should be limited by default > > Linux settings. > > > (4) due to (2), it is not recommended to run anything but the tasks used > to manage the containers -- otherwise your gonna have security problems Just like you want to run those special threads outside of any container, some sysadmin might be interested in running different processes that they don't want to bind to any container limits. I think it is critical that you provide the capability to have tasks running outside any container. Whether sysadmin wants to do it or not for a system is a different thing. -rohit - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists