[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20160725225420.GA26761@mail.hallyn.com>
Date: Mon, 25 Jul 2016 17:54:20 -0500
From: "Serge E. Hallyn" <serge@...lyn.com>
To: Tejun Heo <tj@...nel.org>
Cc: Aleksa Sarai <asarai@...e.de>,
James Bottomley <James.Bottomley@...senPartnership.com>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Li Zefan <lizefan@...wei.com>,
Johannes Weiner <hannes@...xchg.org>,
"Serge E. Hallyn" <serge.hallyn@...ntu.com>,
Aditya Kali <adityakali@...gle.com>,
Chris Wilson <chris@...is-wilson.co.uk>,
linux-kernel@...r.kernel.org, cgroups@...r.kernel.org,
Christian Brauner <cbrauner@...e.de>, dev@...ncontainers.org
Subject: Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for
direct descendants
Quoting Tejun Heo (tj@...nel.org):
> Hello, Aleksa.
>
> On Fri, Jul 22, 2016 at 06:30:07PM +1000, Aleksa Sarai wrote:
> > Just to be clear, the "ns subdir operation" is a cgroup namespaced process
> > moving A -> A_subdir which is racing against some administrative process
> > moving everything from A -> B (but not wanting to move A -> A_subdir)?
>
> Yes.
>
> > So should there be policy within the kernel to not permit a process outside
> > a cgroup namespace to move processes inside the namespace? Or would you be
> > concerned about people escaping the administrator's attempts to reorganise
> > the hierarchy?
>
> Pushed that far, I frankly can't assess what the implications and
> side-effects would be.
>
> > What if we extended rename(2) so that it /does/ allow for reorganisation of
> > the hierarchy? So an administrator could use rename to change the point at
> > which a cgroupns root is rooted at, but not be able to move the actual
> > processes within the cgroup namespace around? The administrator could also
> > join the cgroupns (without needing to join the userns) and then just move
> > things around that way?
> >
> > Do any of those suggestions seem reasonable?
>
> Unfortunately not. I get what you're trying to do and am sure we can
> make some specific scenarios work with the right set of hacks and
> holes, but this type of approach is very dangerous in the long term.
>
> The downside we have now is that we need an explicit delegation from
> userland and that stems from the architectural constraints of
> cgroupfs. It's not ideal but an acceptable situation. Let's please
> not riddle the whole thing with holes that we don't understand for an
> inconvenience which can be worked around otherwise.
It's something which distros, post-machine-install scripts, and
post-pkg-install scripts can all very easily setup. They have to
setup subuid and subgid too if you want safe unprivileged containers,
so I really don't feel this is so arduous. What is the use case where
none of these are an option? (I don't doubt that it exists since you
are pushing pretty hard)
-serge
Powered by blists - more mailing lists