[OFFLIST] status of devcg
Aristeu Rozanski
aris at redhat.com
Wed Jul 10 19:50:02 UTC 2013
On Wed, Jul 10, 2013 at 11:46:55AM -0700, Tejun Heo wrote:
> Just wondering whether you're working on implementing new hierarchical
> behavior on devcg. If so, can you please share some details on how
> you're planning to do it? Please feel free to add the relevant
> mailing lists when replying.
I did start, but still dealing with lots of company internal tasks so I
couldn't do much.
One of the ideas is to start changing (again) how the rules are processed
internally, moving away from the default policy + exceptions model to
an ordered set of rules like iptables:
default: allow/deny
allow block major 100-101, all minors
deny char major 200, all minors
...
That will solve most complex use cases the current model won't [1] but
the problem with this approach is that since it relies on order, merging
would be a problem, and it'd have test each parent all the way to / to
make sure the access is possible.
[1] One example of usage the current model won't solve:
- by default deny everything
- allow c,200,*
- but deny c,200,100
The second idea, which is simpler, will reuse the current internal model
of default policy + exceptions and the idea in the initial patches of having
two lists in each cgroup: active policy+exceptions and locally set
policy+exceptions. This way for every change that happens in a parent (or
even change of parents when moving the cgroup around), the active
policy+exceptions will be regenerated.
In both cases, we do need a new userspace interface (although we can
still provide backwards compatibility with the old one).
Comments?
--
Aristeu
More information about the Containers
mailing list