lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 23 Nov 2021 13:00:56 -0400
From:   Jason Gunthorpe <jgg@...pe.ca>
To:     David Hildenbrand <david@...hat.com>
Cc:     Jens Axboe <axboe@...nel.dk>,
        Andrew Dona-Couch <andrew@...acou.ch>,
        Andrew Morton <akpm@...ux-foundation.org>,
        Drew DeVault <sir@...wn.com>,
        Ammar Faizi <ammarfaizi2@...weeb.org>,
        linux-kernel@...r.kernel.org, linux-api@...r.kernel.org,
        io_uring Mailing List <io-uring@...r.kernel.org>,
        Pavel Begunkov <asml.silence@...il.com>, linux-mm@...ck.org
Subject: Re: [PATCH] Increase default MLOCK_LIMIT to 8 MiB

On Tue, Nov 23, 2021 at 03:44:03PM +0100, David Hildenbrand wrote:
> On 23.11.21 15:07, Jason Gunthorpe wrote:
> > On Tue, Nov 23, 2021 at 02:39:19PM +0100, David Hildenbrand wrote:
> >>>
> >>>> 2) Could be provide a mmu variant to ordinary users that's just good
> >>>> enough but maybe not as fast as what we have today? And limit
> >>>> FOLL_LONGTERM to special, privileged users?
> >>>
> >>> rdma has never been privileged
> >>
> >> Feel free to correct me if I'm wrong: it requires special networking
> >> hardware and the admin/kernel has to prepare the system in a way such
> >> that it can be used.
> > 
> > Not really, plug in the right PCI card and it works
> 
> Naive me would have assumed that the right modules have to be loaded
> (and not blacklisted), that there has to be an rdma service installed
> and running, that the NIC has to be configured in some way, and that
> there is some kind of access control which user can actually use which
> NIC.

Not really, we've worked hard that it works as well as any other HW
device. Plug it in and it works.

There is no systemd service, or special mandatory configuration, for
instance.

> For example, I would have assume from inside a container it usually
> wouldn't just work.

Nope, RDMA follows the net namespaces of its ethernet port, so it just
works in containers too.

> believe what you say and I trust your experience :) So could as well be
> that on such a "special" (or not so special) systems there should be a
> way to restrict it to privileged users only.

At this point RDMA is about as "special" as people running large
ZONE_MOVABLE systems, and the two are going to start colliding
heavily. The RDMA VFIO migration driver should be merged soon which
makes VMs using this stuff finally practical.

Jason

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ