| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 04 May 2012 00:55:44 -0700 From: ebiederm@...ssion.com (Eric W. Biederman) To: Mike Galbraith <efault@....de> Cc: Andrew Morton <akpm@...ux-foundation.org>, Oleg Nesterov <oleg@...hat.com>, LKML <linux-kernel@...r.kernel.org>, Pavel Emelyanov <xemul@...allels.com>, Cyrill Gorcunov <gorcunov@...nvz.org>, Louis Rilling <louis.rilling@...labs.com> Subject: Re: [PATCH] Re: [RFC PATCH] namespaces: fix leak on fork() failure Mike Galbraith <efault@....de> writes: > Namespaces have something in common with cgroups. synchronize_rcu() > makes them somewhat less than wonderful for dynamic use. Well unlike cgroups namespaces were not designed for heavy dynamic use. Although it appears that vsftp puts them to that kind of use so some of the design decisions are with revisiting. > default flags = SIGCHLD > > -namespace: flag |= CLONE_NEWPID > -all: flags |= CLONE_NEWIPC | CLONE_NEWNET | CLONE_NEWUSER > > marge:/usr/local/tmp/starvation # ./hackbench > Running with 10*40 (== 400) tasks. > Time: 2.636 > marge:/usr/local/tmp/starvation # ./hackbench -namespace > Running with 10*40 (== 400) tasks. > Time: 11.624 > marge:/usr/local/tmp/starvation # ./hackbench -namespace -all > Running with 10*40 (== 400) tasks. > Time: 51.474 CLONE_NEWUSER? I presume you have applied my latest user namespace patches? Otherwise you are running completely half baked code. hackbench? Which kernel are you running. Hackbench in some kernels is really good at triggering cache ping-pong effects with pids, and creds. So I'm not certain what to say there. In the latest kernels things should be better with unix domain sockets as long as you don't actually ask to pass your creds but hackbench is still a pretty ridiculous benchmark. Oversharing is always going to be bad for performance. > You can create trash quickly, but you have to haul it away. Well synchronize_rcu is much better in that respect than call_rcu, which let's the trash build up but is never carried away. The core design assumption with namespaces is that they will be used much more than they will be created/destroyed, and as long as there are progress guarantees in place I don't have a problem with that. At the same time if there are easy things we can do to make things go faster I am in favor of that notion. Still especially in the case of hackbench I think it is worth asking the question how much of the slow down is due to cache ping-pong due to oversharing. Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists