| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Jun 2013 17:05:13 +0200 From: Michal Hocko <mhocko@...e.cz> To: Tejun Heo <tj@...nel.org> Cc: Mike Galbraith <bitbucket@...ine.de>, Tim Hockin <thockin@...kin.org>, Li Zefan <lizefan@...wei.com>, Containers <containers@...ts.linux-foundation.org>, Cgroups <cgroups@...r.kernel.org>, bsingharora <bsingharora@...il.com>, "dhaval.giani" <dhaval.giani@...il.com>, Kay Sievers <kay.sievers@...y.org>, jpoimboe <jpoimboe@...hat.com>, "Daniel P. Berrange" <berrange@...hat.com>, lpoetter <lpoetter@...hat.com>, workman-devel <workman-devel@...hat.com>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org> Subject: Re: cgroup: status-quo and userland efforts On Thu 27-06-13 22:01:38, Tejun Heo wrote: > Hello, Mike. > > On Fri, Jun 28, 2013 at 06:49:10AM +0200, Mike Galbraith wrote: > > I always thought that was a very cool feature, mkdir+echo, poof done. > > Now maybe that interface is suboptimal for serious usage, but it makes > > the things usable via dirt simple scripts, very flexible, nice. > > Oh, that in itself is not bad. I mean, if you're root, it's pretty > easy to play with and that part is fine. But combined with the > hierarchical nature of cgroup and file permissions, it encourages > people to "deligate" subdirectories to less previledged domains, OK, this really depends on what you expose to non-root users. I have seen use cases where admin prepares top-level which is root-only but it allows creating sub-groups which are under _full_ control of the subdomain. This worked nicely for memcg for example because hard limit, oom handling and other knobs are hierarchical so the subdomain cannot overwrite what admin has said. > which > in turn leads to normal binaries to manipulate them directly, which is > where the horror begins. We end up exposing control knobs which are > tightly coupled to kernel implementation details right into lay > binaries and scripts directly used by end users. > > I think this is the first time this happened, which is probably why > nobody really noticed the mess earlier. > > Anyways, if you're root, you can keep doing whatever you want. OK, so libcgroup's rules daemon will still work and place my tasks in appropriate cgroups? This is not quite in par with "libcgroup is dead and others have to migrate to systemd as well" statements from the link posted earlier. I really do not think that _any_ central agent will understand my requirements and needs so I need a way to talk to cgroupfs somehow - I have used libcgroups so far but touching cgroupfs is quite convinient as well. And the systemd, with its history of eating projects and not caring much about their previous users who are not willing to jump in to the systemd car, doesn't sound like a good place where to place the new interface to me. [...] -- Michal Hocko SUSE Labs -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists