[Devel] [PATCH rh7] cgroups: Drop virtualization code, v4

Vladimir Davydov vdavydov at parallels.com
Thu May 7 01:59:54 PDT 2015


On Thu, May 07, 2015 at 11:44:01AM +0300, Cyrill Gorcunov wrote:
> On Thu, May 07, 2015 at 11:32:26AM +0300, Vladimir Davydov wrote:
> > On Thu, May 07, 2015 at 10:51:16AM +0300, Cyrill Gorcunov wrote:
> > > Index: linux-pcs7.git/kernel/cgroup.c
> > > ===================================================================
> > > --- linux-pcs7.git.orig/kernel/cgroup.c
> > > +++ linux-pcs7.git/kernel/cgroup.c
> > [...]
> > > @@ -1668,6 +1617,17 @@ static struct dentry *cgroup_mount(struc
> > >  
> > >  		BUG_ON(sb->s_root != NULL);
> > >  
> > > +#ifdef CONFIG_VE
> > > +		/*
> > > +		 * Don't allow to create new hierarchies in container,
> > > +		 * we don't support them.
> > > +		 */
> > > +		if (!ve_is_super(get_exec_env())) {
> > > +			ret = -EACCES;
> > > +			goto drop_new_super;
> > > +		}
> > > +#endif
> > 
> > So we are not allowed to create new cgroup hierarchies from a container,
> > but we still can mount existing ones? If so, I think we should forbid
> > this either.
> 
> Yes existing ones are not forbidden. I'm not sure though if we should
> not allow to reuse existing hierarchies. You have some secutiry scenario
> in your mind or mean to make everything as strict as possible until
> the reverse is not explicitly needed?

If a container is able to mount real cgroup root, it can see how many
containers are running on the node and their parameters. Looks like a
sort of security issue to me.

> 
> > Another question that keeps bothering me is about permissions check. The
> > admin of a container should be allowed to create and tune memory cgroups
> > under its bind mounted cgroup root, but he must not be able to modify
> > parameters of the bind mounted root itself, because that would affect
> > the container's configuration. How are we going to prevent this?
> 
> At moment we don't, but looks like we need to add some check if
> cgroup been modified is not a top one when write happens from
> inside of container maybe?

I guess so.

Besides, I think we should not bind mount all cgroups inside any
container, because allowing a container to create an arbitrary number of
cgroups can affect the overall performance badly. IMO this should be
configured in the config file of a container.



More information about the Devel mailing list