[RFC][PATCH] IP address restricting cgroup subsystem
Grzegorz Nosek
root at localdomain.pl
Tue Jan 6 23:38:32 PST 2009
On śro, sty 07, 2009 at 02:01:10 +0800, Li Zefan wrote:
> CC: netdev at vger.kernel.org
>
> I'll review the cgroup part if this patch is regarded as useful.
>
> Grzegorz Nosek wrote:
> > This is a very simple cgroup subsystem to restrict IP addresses used
> > by member processes. Currently it is limited to IPv4 only but IPv6 (or
> > other protocols) should be easy to implement.
> >
> > IP addresses are write-once (via /cgroup/.../ipaddr.ipv4 in dotted-quad
>
> Why they should be write-once ?
No real (technical) reason. Making it read-write would be fine with me.
I wanted to make the restriction a one-way road but I guess I can police
that in userspace (simply don't write anything to the file twice).
However, I think that the restriction should be inherited, so that if
CG1 is bound to e.g. 10.0.0.1, CG1/CG2 must be bound to the same
address. But what would I do then with descendant cgroups? Leave them as
is (breaking the inheritance)? Find them all and change their bound
address behind their back (do we have an API for that?)?
I guess I have the same problem right now, anyway (only once instead of
multiple times), so I'd really appreciate your input on this.
Best regards,
Grzegorz Nosek
More information about the Containers
mailing list