[OFFLIST] status of devcg
Daniel P. Berrange
berrange at redhat.com
Thu Jul 11 09:34:05 UTC 2013
On Wed, Jul 10, 2013 at 03:50:02PM -0400, Aristeu Rozanski wrote:
> On Wed, Jul 10, 2013 at 11:46:55AM -0700, Tejun Heo wrote:
> > Just wondering whether you're working on implementing new hierarchical
> > behavior on devcg. If so, can you please share some details on how
> > you're planning to do it? Please feel free to add the relevant
> > mailing lists when replying.
>
> I did start, but still dealing with lots of company internal tasks so I
> couldn't do much.
>
> One of the ideas is to start changing (again) how the rules are processed
> internally, moving away from the default policy + exceptions model to
> an ordered set of rules like iptables:
>
> default: allow/deny
> allow block major 100-101, all minors
> deny char major 200, all minors
> ...
>
> That will solve most complex use cases the current model won't [1] but
> the problem with this approach is that since it relies on order, merging
> would be a problem, and it'd have test each parent all the way to / to
> make sure the access is possible.
>
> [1] One example of usage the current model won't solve:
>
> - by default deny everything
> - allow c,200,*
> - but deny c,200,100
>
> The second idea, which is simpler, will reuse the current internal model
> of default policy + exceptions and the idea in the initial patches of having
> two lists in each cgroup: active policy+exceptions and locally set
> policy+exceptions. This way for every change that happens in a parent (or
> even change of parents when moving the cgroup around), the active
> policy+exceptions will be regenerated.
>
> In both cases, we do need a new userspace interface (although we can
> still provide backwards compatibility with the old one).
>
> Comments?
FWIW, libvirt's usage of devcg is to deny all by default, allow major 136
(for all /dev/pts/*), followed by allow (major,minor) pair for each specific
whitelisted devices. As such we don't have anything that relies on ordering
of rules in devcg.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the Containers
mailing list