lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4C57D3C7.2010509@cn.fujitsu.com>
Date:	Tue, 03 Aug 2010 16:31:03 +0800
From:	Li Zefan <lizf@...fujitsu.com>
To:	"Serge E. Hallyn" <serge.hallyn@...onical.com>
CC:	linux-kernel@...r.kernel.org,
	containers@...ts.linux-foundation.org,
	Daniel Lezcano <dlezcano@...e.fr>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Paul Menage <menage@...gle.com>,
	Jamal Hadi Salim <hadi@...erus.ca>,
	Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH 3/3] cgroup : remove the ns_cgroup

Cc: Andrew

Serge E. Hallyn wrote:
> The ns_cgroup is an annoying cgroup at the namespace / cgroup frontier.
> 
> For example, a single process can not handle a big amount of namespaces
> without interacting with this cgroup and falling in an exponential creation
> time due to the nested cgroup directory depth (eg. /cgroup/<pid>/.../<pid>/...).
> 
> That was spotted when creating a single process using multiple network namespaces,
> the objective was 4096 network namespaces, but at 820 netns, the creation time
> was dramatically slow and the creation time for a namespace increased from 10msec
> to 10sec. After five hours, the expected numbers of netns was not reached.
> Without the ns_cgroup interaction, 4K netns are created after 2 minutes.
> 
> In order to solve that, we have to mount the cgroup with all the subsystems
> except the ns_cgroup, it's a little weird and hard to manage from an administration
> pov because we have to know what are the cgroup available on the system and we
> can't do a simple 'mount -t cgroup cgroup /cgroup'.
> 
> With the previous patch which adds a 'clone_children' parameter to a cgroup,
> we should be able to remove the ns_cgroup and manage manually the creation +
> adding a task to the cgroup consistenly with the rest of the subsystems.
> 
> This patch removes the ns_cgroup as suggested in the following thread:
> 
> https://lists.linux-foundation.org/pipermail/containers/2009-June/018616.html
> 
> The 'cgroup_clone' function is removed because it is no longer used.
> 
> Changelog: Jul 29 (seh): remove references to ns_cgroup_clone(), fix up
> 	   some documentation, and remove CONFIG_CGROUP_NS references.
> 
> Signed-off-by: Daniel Lezcano <dlezcano@...e.fr>
> Signed-off-by: Serge E. Hallyn <serge.hallyn@...onical.com>
> Cc: Eric W. Biederman <ebiederm@...ssion.com>
> Cc: Paul Menage <menage@...gle.com>
> Cc: Jamal Hadi Salim <hadi@...erus.ca>

Reviewed-by: Li Zefan <lizf@...fujitsu.com>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ