Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants

[PATCH v1 0/3] cgroup: allow for unprivileged management · Aleksa Sarai <hidden> · 2016-07-18
[PATCH v1 1/3] kernfs: add support for custom per-sb permission hooks · Aleksa Sarai <hidden> · 2016-07-18
[PATCH v1 2/3] cgroup: allow for unprivileged subtree management · Aleksa Sarai <hidden> · 2016-07-18
Re: [PATCH v1 2/3] cgroup: allow for unprivileged subtree management · Tejun Heo <tj@kernel.org> · 2016-07-20
Re: [PATCH v1 2/3] cgroup: allow for unprivileged subtree management · Aleksa Sarai <hidden> · 2016-07-20
[PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Aleksa Sarai <hidden> · 2016-07-18
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-20
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Aleksa Sarai <hidden> · 2016-07-20
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-20
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Aleksa Sarai <hidden> · 2016-07-20
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-20
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Aleksa Sarai <hidden> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · "Serge E. Hallyn" <serge@hallyn.com> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Aleksa Sarai <hidden> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · "Serge E. Hallyn" <serge@hallyn.com> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · James Bottomley <James.Bottomley@HansenPartnership.com> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Aleksa Sarai <hidden> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · James Bottomley <James.Bottomley@HansenPartnership.com> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · James Bottomley <James.Bottomley@HansenPartnership.com> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · James Bottomley <James.Bottomley@HansenPartnership.com> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · James Bottomley <James.Bottomley@HansenPartnership.com> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-21
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Aleksa Sarai <hidden> · 2016-07-22
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-25
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · "Serge E. Hallyn" <serge@hallyn.com> · 2016-07-25
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Aleksa Sarai <hidden> · 2016-07-22
Re: [PATCH v1 3/3] cgroup: relax common ancestor restriction for direct descendants · Tejun Heo <tj@kernel.org> · 2016-07-25

From: Aleksa Sarai <hidden>
Date: 2016-07-21 15:02:00
Also in: lkml

quoted

I have heard

 * it would give power to move other tasks to more rigid constraints.
    To which the answer is only to allow movememnt of tasks in the
   current cgroupns
 * It violates the permissions delegation model.  This one doesn't
   really make too much sense to me: in the same way the userns is root
   in its own domain, cgroups ns is effective root for the restricted
   cgroups (and only for processes within its ns).

Perhaps the question should be asked the other way around:  if we were
explicitly delegating permission to every user in the system to set up
their own sub cgroups, how would you advise it be done?

Coordinate in userspace.  Request whatever is managing the cgroup
hierarchy to set up delegation.  It's not like permission model is
fully contained in kernel on modern systems anyway.

My experience with certain systemdaemons' cgroup handling doesn't 
inspire confidence :/ (from the runC side, we've had nothing but 
issues). Also, how do you even boot into a cgroupv2 system with systemd 
(I started backporting patches to openSUSE, but it's still not booting)?

-- 
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help