[OFFLIST] status of devcg

Daniel P. Berrange berrange at redhat.com
Thu Jul 11 09:34:05 UTC 2013

On Wed, Jul 10, 2013 at 03:50:02PM -0400, Aristeu Rozanski wrote:
> On Wed, Jul 10, 2013 at 11:46:55AM -0700, Tejun Heo wrote:
> > Just wondering whether you're working on implementing new hierarchical
> > behavior on devcg.  If so, can you please share some details on how
> > you're planning to do it?  Please feel free to add the relevant
> > mailing lists when replying.
> I did start, but still dealing with lots of company internal tasks so I
> couldn't do much.
> One of the ideas is to start changing (again) how the rules are processed
> internally, moving away from the default policy + exceptions model to
> an ordered set of rules like iptables:
> 	default: allow/deny
> 	allow block major 100-101, all minors
> 	deny char major 200, all minors
> 	...
> That will solve most complex use cases the current model won't [1] but
> the problem with this approach is that since it relies on order, merging
> would be a problem, and it'd have test each parent all the way to / to
> make sure the access is possible.
> [1] One example of usage the current model won't solve:
> 	- by default deny everything
> 	- allow c,200,*
> 	- but deny c,200,100
> The second idea, which is simpler, will reuse the current internal model
> of default policy + exceptions and the idea in the initial patches of having
> two lists in each cgroup: active policy+exceptions and locally set
> policy+exceptions. This way for every change that happens in a parent (or
> even change of parents when moving the cgroup around), the active
> policy+exceptions will be regenerated.
> In both cases, we do need a new userspace interface (although we can
> still provide backwards compatibility with the old one).
> Comments?

FWIW, libvirt's usage of devcg is to deny all by default, allow major 136
(for all /dev/pts/*), followed by allow (major,minor) pair for each specific
whitelisted devices. As such we don't have anything that relies on ordering
of rules in devcg.

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the Containers mailing list