LinuxLists.cc - Q: using cgroups in real life

2012-11-14 14:00:48

Subject: Q: using cgroups in real life

Hi!

I have a question on cgroups (as of Linux 3.0):
The concept is to mount a filesystem, and configure cgroups through it. This implies that all the files belong to root (or maybe some other fixed user).

AFAIK, you can chmod() and chown() files, but these bits are only kept in the i-node cache, so they may change at any time.

I think this is bad, because if you want to allow users to limit (maybe memory usage) by using some predefined cgroup, the user needs at least partial write access to that cgroup (to add the PID). Probably this also means the user could add any PID (even those processes not owned by him).

The alternative is that a privileged task manages cgroups and PIDs. This is difficult, for example, if the process to control does not exist yet (e.g. the user logs in and then starts some process). It's getting tricky if the user maybe runs some big fat database (which should work at peak performance), and later logs in to do a backup of the database (which is not time critical, and should not steal all the I/O bandwidth). I wonder how a solution would look like to allow the user to limit the bandwidth (maybe use of page cache, too) of the backup in an reliable way.

Being paranoid, the user should at most be able to limit his own processes. I cannot envision a proper solution with the current interface.

Would anybody share some good ideas with me?

(I'm not subscribed to the kernel list, so please CC:)

Regards,
Ulrich

2012-11-15 15:30:45

by Michal Hocko

[permalink] [raw]

Subject: Re: Q: using cgroups in real life

On Wed 14-11-12 14:54:30, Ulrich Windl wrote:
> Hi!
>
> I have a question on cgroups (as of Linux 3.0):
> The concept is to mount a filesystem, and configure cgroups through
> it. This implies that all the files belong to root (or maybe some
> other fixed user).

Have a look at libcgroup package - cgconfig in particular.

> AFAIK, you can chmod() and chown() files, but these bits are only kept
> in the i-node cache, so they may change at any time.

Not true they will live with the files

> I think this is bad, because if you want to allow users to limit
> (maybe memory usage) by using some predefined cgroup, the user
> needs at least partial write access to that cgroup (to add the
> PID). Probably this also means the user could add any PID (even those
> processes not owned by him).

man cgconfig.conf

[...]

I would suggest asking this kind of questions at libcgroup
[email protected] mailing list as it is more focused on
the cgroups usage.
--
Michal Hocko
SUSE Labs