Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755365AbcJ0Psy (ORCPT ); Thu, 27 Oct 2016 11:48:54 -0400 Received: from out03.mta.xmission.com ([166.70.13.233]:43879 "EHLO out03.mta.xmission.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750742AbcJ0Psu (ORCPT ); Thu, 27 Oct 2016 11:48:50 -0400 From: ebiederm@xmission.com (Eric W. Biederman) To: Nikolay Borisov Cc: jack@suse.cz, linux-kernel@vger.kernel.org, serge@hallyn.com, containers@lists.linux-foundation.org References: <20161010164046.GG24081@quack2.suse.cz> <1476171382-11911-1-git-send-email-kernel@kyup.com> <674564a4-ff05-b4d6-4a98-8cfc2e609325@kyup.com> Date: Thu, 27 Oct 2016 10:46:27 -0500 In-Reply-To: <674564a4-ff05-b4d6-4a98-8cfc2e609325@kyup.com> (Nikolay Borisov's message of "Mon, 24 Oct 2016 09:47:44 +0300") Message-ID: <87y419re0c.fsf@xmission.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-XM-SPF: eid=1bzmv8-0001K0-P5;;;mid=<87y419re0c.fsf@xmission.com>;;;hst=in01.mta.xmission.com;;;ip=75.170.125.99;;;frm=ebiederm@xmission.com;;;spf=neutral X-XM-AID: U2FsdGVkX18YODKgWdmZPkF+FwKEOQx+cx+CG3sqnEE= X-SA-Exim-Connect-IP: 75.170.125.99 X-SA-Exim-Mail-From: ebiederm@xmission.com X-Spam-Report: * -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP * 0.7 XMSubLong Long Subject * 0.0 TVD_RCVD_IP Message was received from an IP address * 0.0 T_TM2_M_HEADER_IN_MSG BODY: No description available. * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% * [score: 0.5000] * -0.0 DCC_CHECK_NEGATIVE Not listed in DCC * [sa02 1397; Body=1 Fuz1=1 Fuz2=1] * 1.0 T_XMDrugObfuBody_08 obfuscated drug references X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1 X-Spam-Combo: *;Nikolay Borisov X-Spam-Relay-Country: X-Spam-Timing: total 527 ms - load_scoreonly_sql: 0.23 (0.0%), signal_user_changed: 4.8 (0.9%), b_tie_ro: 3.2 (0.6%), parse: 1.33 (0.3%), extract_message_metadata: 26 (5.0%), get_uri_detail_list: 2.3 (0.4%), tests_pri_-1000: 12 (2.3%), tests_pri_-950: 2.5 (0.5%), tests_pri_-900: 2.0 (0.4%), tests_pri_-400: 47 (9.0%), check_bayes: 45 (8.6%), b_tokenize: 10 (1.8%), b_tok_get_all: 18 (3.4%), b_comp_prob: 4.6 (0.9%), b_tok_touch_all: 9 (1.6%), b_finish: 1.02 (0.2%), tests_pri_0: 414 (78.7%), check_dkim_signature: 1.70 (0.3%), check_dkim_adsp: 9 (1.7%), tests_pri_500: 9 (1.7%), rewrite_mail: 0.00 (0.0%) Subject: Re: [PATCH v2] inotify: Convert to using per-namespace limits X-Spam-Flag: No X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600) X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1461 Lines: 35 Nikolay Borisov writes: > On 10/11/2016 10:36 AM, Nikolay Borisov wrote: >> This patchset converts inotify to using the newly introduced >> per-userns sysctl infrastructure. >> >> Currently the inotify instances/watches are being accounted in the >> user_struct structure. This means that in setups where multiple >> users in unprivileged containers map to the same underlying >> real user (i.e. pointing to the same user_struct) the inotify limits >> are going to be shared as well, allowing one user(or application) to exhaust >> all others limits. >> >> Fix this by switching the inotify sysctls to using the >> per-namespace/per-user limits. This will allow the server admin to >> set sensible global limits, which can further be tuned inside every >> individual user namespace. Additionally, in order to preserve the >> sysctl ABI make the existing inotify instances/watches sysctls >> modify the values of the initial user namespace. >> >> Signed-off-by: Nikolay Borisov >> --- >> >> So here is a revised version which retains the existing sysctls, >> and hooks them to the init_user_ns values. > > Gentle ping, now that rc1 has shipped and Jan's sysctl concern hopefully > resolved. I plan to give this a once over and merge this. I have a very funny pile of serious bug fixes that jumped on my at the beginning of this development cycle and a cold so I am getting to this more slowly than I would like. Eric