[Devel] [PATCH VZ10 4/6] ve: Move from global VE mounts limit to per-VE limit.

Vladimir Riabchun vladimir.riabchun at virtuozzo.com
Tue Jun 30 20:13:30 MSK 2026


This change unifies mount limit handling with other VE limits.
This will simplify refactoring later and allow more precise limits
control from one place.

https://virtuozzo.atlassian.net/browse/VSTOR-135520

Feature: per-ve failcounters
Signed-off-by: Vladimir Riabchun <vladimir.riabchun at virtuozzo.com>
---
 include/linux/ve.h                            |  7 ++++
 kernel/ve/ve.c                                | 34 ++++++++++++++++++-
 kernel/ve/veowner.c                           | 19 -----------
 tools/testing/selftests/ve/ve_ns_owner_test.c |  6 +++-
 4 files changed, 45 insertions(+), 21 deletions(-)

diff --git a/include/linux/ve.h b/include/linux/ve.h
index b2b3d4c12e39..5a5413107eef 100644
--- a/include/linux/ve.h
+++ b/include/linux/ve.h
@@ -87,7 +87,13 @@ struct ve_struct {
 	atomic_t		nd_neigh_nr;
 	unsigned long		meminfo_val;
 
+	/*
+	 * Operations with a big amount of mount points can require a lot of time.
+	 * These operations take the global lock namespace_sem, so they can affect
+	 * other containers.
+	 */
 	atomic_t		mnt_avail_nr; /* number of present VE mounts */
+	int			mnt_max_nr;
 
 #ifdef CONFIG_COREDUMP
 	char			core_pattern[CORENAME_MAX_SIZE];
@@ -134,6 +140,7 @@ extern int nr_ve;
 #define NETNS_MAX_NR_DEFAULT	256	/* number of net-namespaces per-VE */
 #define NETIF_MAX_NR_DEFAULT	256	/* number of net-interfaces per-VE */
 #define BPF_PROG_MAX_NR_DEFAULT	256	/* number of loaded BPF progs per-VE */
+#define MNT_MAX_NR_DEFAULT	4096	/* number of mounts per-VE */
 
 extern unsigned int sysctl_ve_mount_nr;
 
diff --git a/kernel/ve/ve.c b/kernel/ve/ve.c
index 0fb5a2c1f63a..e92bc25c8933 100644
--- a/kernel/ve/ve.c
+++ b/kernel/ve/ve.c
@@ -79,6 +79,7 @@ struct ve_struct ve0 = {
 	.arp_neigh_nr		= ATOMIC_INIT(0),
 	.nd_neigh_nr		= ATOMIC_INIT(0),
 	.mnt_avail_nr		= ATOMIC_INIT(INT_MAX),
+	.mnt_max_nr		= INT_MAX,
 	.meminfo_val		= VE_MEMINFO_SYSTEM,
 	.umh_running_helpers	= ATOMIC_INIT(0),
 	.umh_helpers_waitq	= __WAIT_QUEUE_HEAD_INITIALIZER(ve0.umh_helpers_waitq),
@@ -774,7 +775,8 @@ static struct cgroup_subsys_state *ve_create(struct cgroup_subsys_state *parent_
 
 	atomic_set(&ve->arp_neigh_nr, 0);
 	atomic_set(&ve->nd_neigh_nr, 0);
-	atomic_set(&ve->mnt_avail_nr, sysctl_ve_mount_nr);
+	ve->mnt_max_nr = MNT_MAX_NR_DEFAULT;
+	atomic_set(&ve->mnt_avail_nr, MNT_MAX_NR_DEFAULT);
 
 #ifdef CONFIG_COREDUMP
 	strcpy(ve->core_pattern, "core");
@@ -1053,6 +1055,30 @@ static s64 ve_mnt_avail_nr_read(struct cgroup_subsys_state *css, struct cftype *
 	return atomic_read(&css_to_ve(css)->mnt_avail_nr);
 }
 
+static u64 ve_mnt_max_nr_read(struct cgroup_subsys_state *css, struct cftype *cft)
+{
+	return css_to_ve(css)->mnt_max_nr;
+}
+
+static int ve_mnt_max_nr_write(struct cgroup_subsys_state *css, struct cftype *cft, u64 val)
+{
+	struct ve_struct *ve = css_to_ve(css);
+	int delta;
+
+	if (!ve_is_super(get_exec_env()))
+		return -EPERM;
+
+	if (val > INT_MAX)
+		return -EOVERFLOW;
+
+	down_write(&ve->op_sem);
+	delta = val - ve->mnt_max_nr;
+	ve->mnt_max_nr = val;
+	atomic_add(delta, &ve->mnt_avail_nr);
+	up_write(&ve->op_sem);
+	return 0;
+}
+
 static u64 ve_netif_max_nr_read(struct cgroup_subsys_state *css, struct cftype *cft)
 {
 	return css_to_ve(css)->netif_max_nr;
@@ -1613,6 +1639,12 @@ static struct cftype ve_cftypes[] = {
 		.name			= "mnt_avail_nr",
 		.read_s64		= ve_mnt_avail_nr_read,
 	},
+	{
+		.name			= "mnt_max_nr",
+		.flags			= CFTYPE_NOT_ON_ROOT,
+		.read_u64		= ve_mnt_max_nr_read,
+		.write_u64		= ve_mnt_max_nr_write,
+	},
 	{
 		.name			= "netif_max_nr",
 		.flags			= CFTYPE_NOT_ON_ROOT,
diff --git a/kernel/ve/veowner.c b/kernel/ve/veowner.c
index 1e631baf0de9..c77735f8c035 100644
--- a/kernel/ve/veowner.c
+++ b/kernel/ve/veowner.c
@@ -48,26 +48,7 @@ static void prepare_proc(void)
  * ------------------------------------------------------------------------
  */
 
-/*
- * Operations with a big amount of mount points can require a lot of time.
- * These operations take the global lock namespace_sem, so they can affect
- * other containers. Let us allow no more than sysctl_ve_mount_nr mount
- * points for a VE.
- */
-unsigned int sysctl_ve_mount_nr = 4096;
-static int ve_mount_nr_min = 0;
-static int ve_mount_nr_max = INT_MAX;
-
 static struct ctl_table vz_fs_table[] = {
-	{
-		.procname	= "ve-mount-nr",
-		.data		= &sysctl_ve_mount_nr,
-		.maxlen		= sizeof(sysctl_ve_mount_nr),
-		.mode		= 0644,
-		.proc_handler	= proc_dointvec_minmax,
-		.extra1		= &ve_mount_nr_min,
-		.extra2		= &ve_mount_nr_max,
-	},
 	{
 		.procname	= "fsync-enable",
 		.data		= &ve0.fsync_enable,
diff --git a/tools/testing/selftests/ve/ve_ns_owner_test.c b/tools/testing/selftests/ve/ve_ns_owner_test.c
index 3b5979fa63f6..3b62f87babbf 100644
--- a/tools/testing/selftests/ve/ve_ns_owner_test.c
+++ b/tools/testing/selftests/ve/ve_ns_owner_test.c
@@ -56,7 +56,7 @@
  * any spurious accounting against the parent ve would overflow it.
  */
 #define VE_NETNS_MAX		3
-#define VE_MOUNTS_MAX		4096
+#define VE_MOUNTS_MAX		32
 
 static int write_file_at(int dirfd, const char *path, const char *val)
 {
@@ -267,6 +267,10 @@ FIXTURE_SETUP(ve_ns_owner)
 	snprintf(val, sizeof(val), "%d", VE_NETNS_MAX);
 	ASSERT_EQ(write_file_at(self->cgv2_fd, path, val), 0);
 
+	snprintf(path, sizeof(path), "%d/ve.mnt_max_nr", self->ctid);
+	snprintf(val, sizeof(val), "%d", VE_MOUNTS_MAX);
+	ASSERT_EQ(write_file_at(self->cgv2_fd, path, val), 0);
+
 	/*
 	 * The new ve cgroup has not been entered by anything yet, so its
 	 * mnt_avail_nr counter be VE_MOUNTS_MAX. Each test below verifies that
-- 
2.47.1



More information about the Devel mailing list