[OFFLIST] status of devcg
aris at redhat.com
Wed Jul 10 19:50:02 UTC 2013
On Wed, Jul 10, 2013 at 11:46:55AM -0700, Tejun Heo wrote:
> Just wondering whether you're working on implementing new hierarchical
> behavior on devcg. If so, can you please share some details on how
> you're planning to do it? Please feel free to add the relevant
> mailing lists when replying.
I did start, but still dealing with lots of company internal tasks so I
couldn't do much.
One of the ideas is to start changing (again) how the rules are processed
internally, moving away from the default policy + exceptions model to
an ordered set of rules like iptables:
allow block major 100-101, all minors
deny char major 200, all minors
That will solve most complex use cases the current model won't  but
the problem with this approach is that since it relies on order, merging
would be a problem, and it'd have test each parent all the way to / to
make sure the access is possible.
 One example of usage the current model won't solve:
- by default deny everything
- allow c,200,*
- but deny c,200,100
The second idea, which is simpler, will reuse the current internal model
of default policy + exceptions and the idea in the initial patches of having
two lists in each cgroup: active policy+exceptions and locally set
policy+exceptions. This way for every change that happens in a parent (or
even change of parents when moving the cgroup around), the active
policy+exceptions will be regenerated.
In both cases, we do need a new userspace interface (although we can
still provide backwards compatibility with the old one).
More information about the Containers