[OFFLIST] status of devcg

Aristeu Rozanski aris at redhat.com
Wed Jul 10 19:50:02 UTC 2013


On Wed, Jul 10, 2013 at 11:46:55AM -0700, Tejun Heo wrote:
> Just wondering whether you're working on implementing new hierarchical
> behavior on devcg.  If so, can you please share some details on how
> you're planning to do it?  Please feel free to add the relevant
> mailing lists when replying.

I did start, but still dealing with lots of company internal tasks so I
couldn't do much.

One of the ideas is to start changing (again) how the rules are processed
internally, moving away from the default policy + exceptions model to
an ordered set of rules like iptables:

	default: allow/deny
	allow block major 100-101, all minors
	deny char major 200, all minors
	...

That will solve most complex use cases the current model won't [1] but
the problem with this approach is that since it relies on order, merging
would be a problem, and it'd have test each parent all the way to / to
make sure the access is possible.

[1] One example of usage the current model won't solve:

	- by default deny everything
	- allow c,200,*
	- but deny c,200,100

The second idea, which is simpler, will reuse the current internal model
of default policy + exceptions and the idea in the initial patches of having
two lists in each cgroup: active policy+exceptions and locally set
policy+exceptions. This way for every change that happens in a parent (or
even change of parents when moving the cgroup around), the active
policy+exceptions will be regenerated.

In both cases, we do need a new userspace interface (although we can
still provide backwards compatibility with the old one).

Comments?

-- 
Aristeu



More information about the Containers mailing list