Date: Fri, 31 Dec 2010 20:02:37 GMT From: Edward Tomasz Napierala <trasz@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 187358 for review Message-ID: <201012312002.oBVK2b7P023988@skunkworks.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://p4web.freebsd.org/@@187358?ac=10 Change 187358 by trasz@trasz_victim on 2010/12/31 20:01:46 Fixes for hierarchical jails. Affected files ... .. //depot/projects/soc2009/trasz_limits/TODO#38 edit .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_container.c#47 edit .. //depot/projects/soc2009/trasz_limits/sys/kern/kern_hrl.c#103 edit Differences ... ==== //depot/projects/soc2009/trasz_limits/TODO#38 (text+ko) ==== @@ -27,10 +27,6 @@ - Fix %CPU limits for shortly living processes. - - Make sure we enforce limits whenever it's needed. - - - Add support for hierarchical jails. - - Get rid of container_lock. Atomic instructions would be nice, but we really need 64 bits (per-process counters could be 32 bit, I guess, but the higher level containers could overflow), and atomic(9) doesn't support 64 bit values @@ -45,6 +41,10 @@ Issues: + - We enforce limits when a process allocates a resource, and when it forks. + We don't enforce limits when process changes its credentials, though. This + might be either a bug or feature, depending on point of view. + - In the long term, the goal is to get rid of lim_get(9), chgproccnt(9) etc, turning this: ==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_container.c#47 (text+ko) ==== @@ -307,6 +307,7 @@ void rusage_add_cred(struct ucred *cred, int resource, uint64_t amount) { + struct prison *pr; SDT_PROBE(container, kernel, rusage, add_cred, cred, resource, amount, 0, 0); @@ -315,7 +316,8 @@ mtx_lock(&container_lock); container_alloc_resource(&cred->cr_ruidinfo->ui_container, resource, amount); - container_alloc_resource(&cred->cr_prison->pr_container, resource, amount); + for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent) + container_alloc_resource(&pr->pr_container, resource, amount); container_alloc_resource(&cred->cr_loginclass->lc_container, resource, amount); mtx_unlock(&container_lock); } @@ -476,6 +478,7 @@ void rusage_sub_cred(struct ucred *cred, int resource, uint64_t amount) { + struct prison *pr; SDT_PROBE(container, kernel, rusage, sub_cred, cred, resource, amount, 0, 0); @@ -488,7 +491,8 @@ mtx_lock(&container_lock); container_alloc_resource(&cred->cr_ruidinfo->ui_container, resource, -amount); - container_alloc_resource(&cred->cr_prison->pr_container, resource, -amount); + for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent) + container_alloc_resource(&pr->pr_container, resource, -amount); container_alloc_resource(&cred->cr_loginclass->lc_container, resource, -amount); mtx_unlock(&container_lock); } @@ -590,7 +594,7 @@ { struct uidinfo *olduip, *newuip; struct loginclass *oldlc, *newlc; - struct prison *oldpr, *newpr; + struct prison *oldpr, *newpr, *pr; PROC_LOCK_ASSERT(p, MA_OWNED); @@ -611,8 +615,10 @@ container_add(&newlc->lc_container, &p->p_container); } if (newpr != oldpr) { - container_sub(&oldpr->pr_container, &p->p_container); - container_add(&newpr->pr_container, &p->p_container); + for (pr = oldpr; pr != NULL; pr = pr->pr_parent) + container_sub(&pr->pr_container, &p->p_container); + for (pr = newpr; pr != NULL; pr = pr->pr_parent) + container_add(&pr->pr_container, &p->p_container); } mtx_unlock(&container_lock); ==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_hrl.c#103 (text+ko) ==== @@ -834,6 +834,7 @@ struct uidinfo *uip; struct prison *pr; struct loginclass *lc; + int match; KASSERT(hrl_rule_fully_specified(rule), ("rule not fully specified")); @@ -899,9 +900,15 @@ break; continue; case HRL_SUBJECT_TYPE_JAIL: - for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent) - if (pr->pr_id == rule->hr_subject.hs_prison->pr_id) + match = 0; + for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent) { + if (pr == rule->hr_subject.hs_prison) { + match = 1; break; + } + } + if (match) + break; continue; default: panic("hrl_rule_add: unknown subject type %d",
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201012312002.oBVK2b7P023988>