lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <784F48E6-C07E-4A38-B45B-BD2D66677894@linux.alibaba.com>
Date: Wed, 11 Sep 2024 09:53:27 +0800
From: 刘嵩 <liusong@...ux.alibaba.com>
To: Tejun Heo <tj@...nel.org>
Cc: lizefan.x@...edance.com,
 hannes@...xchg.org,
 Michal Koutný <mkoutny@...e.com>,
 cgroups@...r.kernel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [RFC PATCH] sched, cgroup: cgroup1 can also take the
 non-RUNTIME_INF min



> 2024年9月11日 03:32,Tejun Heo <tj@...nel.org> 写道:
> 
> On Tue, Sep 10, 2024 at 03:48:32PM +0800, Liu Song wrote:
>> For the handling logic of child_quota, there is no need to distinguish
>> between cgroup1 and cgroup2, so unify the handling logic here.
>> 
>> Signed-off-by: Liu Song <liusong@...ux.alibaba.com>
> 
> It doens't make much sense to change the interface for cgroup1 at this
> point. Let's please leave it as-is.
> 
> Thanks.
> 
> -- 
> tejun

Hi

In scenarios involving secure shared containers (like Kata), where containers are deployed
on VMs and constrained by CPU runtime using quotas, the concept of vCPUs comes into
play.

If the CPU limit set by Kubernetes is less than the actual number of vCPUs, meaning the
CPU count derived from the quota is less than the vCPU count, then when a user runs lscpu
inside the container, the reported CPU count will be greater than the container's quota.

If the user uses this reported count to calculate quota and attempts to set it for their own
sub-container, it will result in an error under cgroup1, whereas the same operation will
succeed under cgroup2. To avoid imposing extra learning costs on users, unifying the
handling logic in this regard is still beneficial.

Thanks

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ