Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752039Ab3F1SCN (ORCPT ); Fri, 28 Jun 2013 14:02:13 -0400 Received: from mx1.redhat.com ([209.132.183.28]:13514 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750776Ab3F1SCK (ORCPT ); Fri, 28 Jun 2013 14:02:10 -0400 Date: Fri, 28 Jun 2013 14:01:55 -0400 From: Vivek Goyal To: Michal Hocko Cc: Tejun Heo , Tim Hockin , Mike Galbraith , "linux-kernel@vger.kernel.org" , Containers , Kay Sievers , lpoetter , workman-devel , "dhaval.giani" , Cgroups , bsingharora Subject: Re: [Workman-devel] cgroup: status-quo and userland efforts Message-ID: <20130628180155.GD16483@redhat.com> References: <20130625000118.GT1918@mtj.dyndns.org> <20130626212047.GB4536@htj.dyndns.org> <1372311907.5871.78.camel@marge.simpson.net> <20130627180143.GD5599@mtj.dyndns.org> <1372391198.5989.110.camel@marge.simpson.net> <20130628040930.GC2500@htj.dyndns.org> <1372394950.5989.128.camel@marge.simpson.net> <20130628050138.GD2500@htj.dyndns.org> <20130628150513.GD5125@dhcp22.suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130628150513.GD5125@dhcp22.suse.cz> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2453 Lines: 54 On Fri, Jun 28, 2013 at 05:05:13PM +0200, Michal Hocko wrote: > On Thu 27-06-13 22:01:38, Tejun Heo wrote: > > Hello, Mike. > > > > On Fri, Jun 28, 2013 at 06:49:10AM +0200, Mike Galbraith wrote: > > > I always thought that was a very cool feature, mkdir+echo, poof done. > > > Now maybe that interface is suboptimal for serious usage, but it makes > > > the things usable via dirt simple scripts, very flexible, nice. > > > > Oh, that in itself is not bad. I mean, if you're root, it's pretty > > easy to play with and that part is fine. But combined with the > > hierarchical nature of cgroup and file permissions, it encourages > > people to "deligate" subdirectories to less previledged domains, > > OK, this really depends on what you expose to non-root users. I have > seen use cases where admin prepares top-level which is root-only but > it allows creating sub-groups which are under _full_ control of the > subdomain. This worked nicely for memcg for example because hard limit, > oom handling and other knobs are hierarchical so the subdomain cannot > overwrite what admin has said. > > > which > > in turn leads to normal binaries to manipulate them directly, which is > > where the horror begins. We end up exposing control knobs which are > > tightly coupled to kernel implementation details right into lay > > binaries and scripts directly used by end users. > > > > I think this is the first time this happened, which is probably why > > nobody really noticed the mess earlier. > > > > Anyways, if you're root, you can keep doing whatever you want. > > OK, so libcgroup's rules daemon will still work and place my tasks in > appropriate cgroups? Do you use that daemon in practice? For user session logins, I think systemd has plans to put user sessions in a cgroup (kind of making pam_cgroup redundant). Other functionality rulesengined was providing moving tasks automatically in a cgroup based on executable name. I think that was racy and not many people had liked it. IIUC, systemd can't disable access to cgroupfs from other utilities. So most likely rulesengined should contine to work. But having both systemd and libcgroup might not make much sense though. Thanks Vivek -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/