lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20190806164036.GA2332@nanopsycho.orion>
Date:   Tue, 6 Aug 2019 18:40:36 +0200
From:   Jiri Pirko <jiri@...nulli.us>
To:     netdev@...r.kernel.org
Cc:     davem@...emloft.net, dsahern@...il.com, mlxsw@...lanox.com,
        jakub.kicinski@...ronome.com, andrew@...n.ch, f.fainelli@...il.com,
        vivien.didelot@...il.com, mkubecek@...e.cz,
        stephen@...workplumber.org, daniel@...earbox.net,
        brouer@...hat.com, eric.dumazet@...il.com
Subject: [RFC] implicit per-namespace devlink instance to set kernel resource
 limitations

Hi all.

I just discussed this with DavidA and I would like to bring this to
broader audience. David wants to limit kernel resources in network
namespaces, for example fibs, fib rules, etc.

He claims that devlink api is rich enough to program this limitations
as it already does for mlxsw hw resources for example. If we have this
api for hardware, why don't to reuse it for the kernel and it's
resources too?

So the proposal is to have some new device, say "kernelnet", that would
implicitly create per-namespace devlink instance. This devlink
instance would be used to setup resource limits. Like:

devlink resource set kernelnet path /IPv4/fib size 96
devlink -N ns1name resource set kernelnet path /IPv6/fib size 100
devlink -N ns2name resource set kernelnet path /IPv4/fib-rules size 8

To me it sounds a bit odd for kernel namespace to act as a device, but
thinking about it more, it makes sense. Probably better than to define
a new api. User would use the same tool to work with kernel and hw.

Also we can implement other devlink functionality, like dpipe.
User would then have visibility of network pipeline, tables,
utilization, etc. It is related to the resources too.

What do you think?

Jiri

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ