PERFORCE change 187358 for review
Edward Tomasz Napierala
trasz at FreeBSD.org
Fri Dec 31 20:02:37 UTC 2010
http://p4web.freebsd.org/@@187358?ac=10
Change 187358 by trasz at trasz_victim on 2010/12/31 20:01:46
Fixes for hierarchical jails.
Affected files ...
.. //depot/projects/soc2009/trasz_limits/TODO#38 edit
.. //depot/projects/soc2009/trasz_limits/sys/kern/kern_container.c#47 edit
.. //depot/projects/soc2009/trasz_limits/sys/kern/kern_hrl.c#103 edit
Differences ...
==== //depot/projects/soc2009/trasz_limits/TODO#38 (text+ko) ====
@@ -27,10 +27,6 @@
- Fix %CPU limits for shortly living processes.
- - Make sure we enforce limits whenever it's needed.
-
- - Add support for hierarchical jails.
-
- Get rid of container_lock. Atomic instructions would be nice, but we really
need 64 bits (per-process counters could be 32 bit, I guess, but the higher
level containers could overflow), and atomic(9) doesn't support 64 bit values
@@ -45,6 +41,10 @@
Issues:
+ - We enforce limits when a process allocates a resource, and when it forks.
+ We don't enforce limits when process changes its credentials, though. This
+ might be either a bug or feature, depending on point of view.
+
- In the long term, the goal is to get rid of lim_get(9), chgproccnt(9) etc,
turning this:
==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_container.c#47 (text+ko) ====
@@ -307,6 +307,7 @@
void
rusage_add_cred(struct ucred *cred, int resource, uint64_t amount)
{
+ struct prison *pr;
SDT_PROBE(container, kernel, rusage, add_cred, cred, resource, amount, 0, 0);
@@ -315,7 +316,8 @@
mtx_lock(&container_lock);
container_alloc_resource(&cred->cr_ruidinfo->ui_container, resource, amount);
- container_alloc_resource(&cred->cr_prison->pr_container, resource, amount);
+ for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent)
+ container_alloc_resource(&pr->pr_container, resource, amount);
container_alloc_resource(&cred->cr_loginclass->lc_container, resource, amount);
mtx_unlock(&container_lock);
}
@@ -476,6 +478,7 @@
void
rusage_sub_cred(struct ucred *cred, int resource, uint64_t amount)
{
+ struct prison *pr;
SDT_PROBE(container, kernel, rusage, sub_cred, cred, resource, amount, 0, 0);
@@ -488,7 +491,8 @@
mtx_lock(&container_lock);
container_alloc_resource(&cred->cr_ruidinfo->ui_container, resource, -amount);
- container_alloc_resource(&cred->cr_prison->pr_container, resource, -amount);
+ for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent)
+ container_alloc_resource(&pr->pr_container, resource, -amount);
container_alloc_resource(&cred->cr_loginclass->lc_container, resource, -amount);
mtx_unlock(&container_lock);
}
@@ -590,7 +594,7 @@
{
struct uidinfo *olduip, *newuip;
struct loginclass *oldlc, *newlc;
- struct prison *oldpr, *newpr;
+ struct prison *oldpr, *newpr, *pr;
PROC_LOCK_ASSERT(p, MA_OWNED);
@@ -611,8 +615,10 @@
container_add(&newlc->lc_container, &p->p_container);
}
if (newpr != oldpr) {
- container_sub(&oldpr->pr_container, &p->p_container);
- container_add(&newpr->pr_container, &p->p_container);
+ for (pr = oldpr; pr != NULL; pr = pr->pr_parent)
+ container_sub(&pr->pr_container, &p->p_container);
+ for (pr = newpr; pr != NULL; pr = pr->pr_parent)
+ container_add(&pr->pr_container, &p->p_container);
}
mtx_unlock(&container_lock);
==== //depot/projects/soc2009/trasz_limits/sys/kern/kern_hrl.c#103 (text+ko) ====
@@ -834,6 +834,7 @@
struct uidinfo *uip;
struct prison *pr;
struct loginclass *lc;
+ int match;
KASSERT(hrl_rule_fully_specified(rule), ("rule not fully specified"));
@@ -899,9 +900,15 @@
break;
continue;
case HRL_SUBJECT_TYPE_JAIL:
- for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent)
- if (pr->pr_id == rule->hr_subject.hs_prison->pr_id)
+ match = 0;
+ for (pr = cred->cr_prison; pr != NULL; pr = pr->pr_parent) {
+ if (pr == rule->hr_subject.hs_prison) {
+ match = 1;
break;
+ }
+ }
+ if (match)
+ break;
continue;
default:
panic("hrl_rule_add: unknown subject type %d",
More information about the p4-projects
mailing list