Date: Tue, 17 Nov 2020 12:40:24 -0600 From: Kyle Evans <kevans@freebsd.org> To: freebsd-jail <freebsd-jail@freebsd.org> Subject: cpuset/jail creation Message-ID: <CACNAnaFC4fhYTC7T3zWzEsHO=M-7Ny9KNxh47-Jdi_4yha%2BzZg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello! I've done some work to try and make qemu-user-static honor cpuset and advertise a fake hw.ncpu to emulated processes based on the number of cpus actually available to it. In doing so, I discovered that created jail's inherit the parent jail's cpuset mask, rather than the creating process. This is OK for persistent jails, as one can create the jail, cpuset(1), then jexec whatever tasks they want to do; but jails that would otherwise not be persistent have to either deal with racy cpuset(1) after creation or settle for instead creating a persistent jail because they need a specific cpuset. I've got this patch that I'd like to propose[0], but it's unclear if it's really OK to do or if anyone else cares about this. I can't see any theoretical problem with it off-hand, as the creating thread should be guaranteed to have a cpuset that's valid as a child of the parent prison's cpuset. The patch creates a new poorly-named cpuset_create_root_td KPI to inherit the cpuset from the creating thread, and leaves the previous KPI intact in case something else is using it or to leave the door open to adding an option to go either way with this (inherit from parent jail vs. inherit from thread). >From a MAC perspective, I think it makes a lot of sense to inherit from the thread by default. e.g. a non-root user could be granted PRIV_JAIL_SET, then they're freely able to create jails using the parent jail's root cpuset even if they've been limited themselves via login.conf(5) restriction. For most existing use-cases, it should effectively be a nop unless they were cpuset(1)ing a process not expecting the created jail to inherit that. Thoughts? Thanks, Kyle Evans [0] https://people.freebsd.org/~kevans/jail-cpuset.diff
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACNAnaFC4fhYTC7T3zWzEsHO=M-7Ny9KNxh47-Jdi_4yha%2BzZg>