Re: [PATCH v4 00/16] memcg accounting from OpenVZ

From: Shakeel Butt
Date: Thu Jul 15 2021 - 13:11:27 EST

Next message: Darrick J. Wong: "Re: [PATCH RFC 07/13] iomap: simplify iomap_swapfile_fail() with '%pD' specifier"
Previous message: kernel test robot: "Re: [PATCH 4/4] iio: imu: add BNO055 serdev driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Apr 27, 2021 at 11:51 PM Vasily Averin <vvs@xxxxxxxxxxxxx> wrote:
>
> OpenVZ uses memory accounting 20+ years since v2.2.x linux kernels.
> Initially we used our own accounting subsystem, then partially committed
> it to upstream, and a few years ago switched to cgroups v1.
> Now we're rebasing again, revising our old patches and trying to push
> them upstream.
>
> We try to protect the host system from any misuse of kernel memory
> allocation triggered by untrusted users inside the containers.
>
> Patch-set is addressed mostly to cgroups maintainers and cgroups@ mailing
> list, though I would be very grateful for any comments from maintainersi
> of affected subsystems or other people added in cc:
>
> Compared to the upstream, we additionally account the following kernel objects:
> - network devices and its Tx/Rx queues
> - ipv4/v6 addresses and routing-related objects
> - inet_bind_bucket cache objects
> - VLAN group arrays
> - ipv6/sit: ip_tunnel_prl
> - scm_fp_list objects used by SCM_RIGHTS messages of Unix sockets
> - nsproxy and namespace objects itself
> - IPC objects: semaphores, message queues and share memory segments
> - mounts
> - pollfd and select bits arrays
> - signals and posix timers
> - file lock
> - fasync_struct used by the file lease code and driver's fasync queues
> - tty objects
> - per-mm LDT
>
> We have an incorrect/incomplete/obsoleted accounting for few other kernel
> objects: sk_filter, af_packets, netlink and xt_counters for iptables.
> They require rework and probably will be dropped at all.
>
> Also we're going to add an accounting for nft, however it is not ready yet.
>
> We have not tested performance on upstream, however, our performance team
> compares our current RHEL7-based production kernel and reports that
> they are at least not worse as the according original RHEL7 kernel.
>

Hi Vasily,

What's the status of this series? I see a couple patches did get
acked/reviewed. Can you please re-send the series with updated ack
tags?

thanks,
Shakeel

Next message: Darrick J. Wong: "Re: [PATCH RFC 07/13] iomap: simplify iomap_swapfile_fail() with '%pD' specifier"
Previous message: kernel test robot: "Re: [PATCH 4/4] iio: imu: add BNO055 serdev driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]