From: Michal Hocko <mhocko@suse.com>
To: "Michal Koutný" <mkoutny@suse.com>,
"Roman Gushchin" <roman.gushchin@linux.dev>
Cc: Vasily Averin <vvs@openvz.org>,
Andrew Morton <akpm@linux-foundation.org>,
kernel@openvz.org, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, Shakeel Butt <shakeelb@google.com>,
Vlastimil Babka <vbabka@suse.cz>,
Muchun Song <songmuchun@bytedance.com>,
cgroups@vger.kernel.org
Subject: Re: [PATCH mm v3 0/9] memcg: accounting for objects allocated by mkdir cgroup
Date: Wed, 1 Jun 2022 15:05:34 +0200 [thread overview]
Message-ID: <YpdkHrbT/xkdx+Qb@dhcp22.suse.cz> (raw)
In-Reply-To: <YpcyKdZkdkwUOzuy@dhcp22.suse.cz>
On Wed 01-06-22 11:32:26, Michal Hocko wrote:
> On Wed 01-06-22 11:15:43, Michal Koutny wrote:
> > On Wed, Jun 01, 2022 at 06:43:27AM +0300, Vasily Averin <vvs@openvz.org> wrote:
> > > CT-901 /# cat /sys/fs/cgroup/memory/cgroup.subgroups_limit
> > > 512
> > > CT-901 /# echo 3333 > /sys/fs/cgroup/memory/cgroup.subgroups_limit
> > > -bash: echo: write error: Operation not permitted
> > > CT-901 /# echo 333 > /sys/fs/cgroup/memory/cgroup.subgroups_limit
> > > -bash: echo: write error: Operation not permitted
> > >
> > > I doubt this way can be accepted in upstream, however for OpenVz
> > > something like this it is mandatory because it much better
> > > than nothing.
> >
> > Is this customization of yours something like cgroup.max.descendants on
> > the unified (v2) hierarchy? (Just curious.)
> >
> > (It can be made inaccessible from within the subtree either with cgroup
> > ns or good old FS permissions.)
>
> So we already do have a limit to prevent somebody from running away with
> the number of cgroups. Nice! I was not aware of that and I guess this
> looks like the right thing to do. So do we need more control and
> accounting that this?
I have checked the actual implementation and noticed that cgroups are
uncharged when offlined (rmdir-ed) which means that an adversary could
still trick the limit and runaway while still consuming resources.
Roman, I guess the reason for this implementation was to avoid limit to
trigger on setups with memcgs which can take quite some time to die?
Would it make sense to make the implementation more strict to really act
as gate against potential cgroups count runways?
--
Michal Hocko
SUSE Labs
next prev parent reply other threads:[~2022-06-01 13:05 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Yn6aL3cO7VdrmHHp@carbon>
2022-05-21 16:37 ` [PATCH mm v2 " Vasily Averin
2022-05-30 11:25 ` [PATCH mm v3 " Vasily Averin
2022-05-30 11:55 ` Michal Hocko
2022-05-30 13:09 ` Vasily Averin
2022-05-30 14:22 ` Michal Hocko
2022-05-30 19:58 ` Vasily Averin
2022-05-31 7:16 ` Michal Hocko
2022-06-01 3:43 ` Vasily Averin
2022-06-01 9:15 ` Michal Koutný
2022-06-01 9:32 ` Michal Hocko
2022-06-01 13:05 ` Michal Hocko [this message]
2022-06-01 14:22 ` Roman Gushchin
2022-06-01 15:24 ` Michal Hocko
2022-06-01 9:26 ` Michal Hocko
2022-06-13 5:34 ` [PATCH mm v4 " Vasily Averin
2022-06-23 14:50 ` [PATCH mm v5 0/9] memcg: accounting for objects allocated by mkdir, cgroup Vasily Averin
2022-06-23 15:03 ` Vasily Averin
2022-06-23 16:07 ` Michal Hocko
2022-06-23 16:55 ` Shakeel Butt
2022-06-24 10:40 ` Vasily Averin
2022-06-24 12:26 ` Michal Koutný
2022-06-24 13:59 ` Michal Hocko
2022-06-25 9:43 ` [PATCH RFC] memcg: avoid idr ids space depletion Vasily Averin
[not found] ` <c53e1df0-5174-66de-23cc-18797f0b512d@openvz.org>
2022-06-26 1:56 ` [PATCH RFC] memcg: notify about global mem_cgroup_id " Roman Gushchin
[not found] ` <97bed1fd-f230-c2ea-1cb6-8230825a9a64@openvz.org>
2022-06-27 3:23 ` [PATCH mm v2] " Muchun Song
[not found] ` <f3e4059c-69ea-eccd-a22f-9f6c6780f33a@openvz.org>
2022-06-28 1:11 ` Roman Gushchin
2022-06-28 9:08 ` Michal Koutný
2022-06-27 16:37 ` [PATCH mm v5 0/9] memcg: accounting for objects allocated by mkdir, cgroup Shakeel Butt
2022-07-01 11:03 ` Michal Hocko
2022-07-10 18:53 ` Vasily Averin
2022-07-11 16:24 ` Michal Hocko
2022-06-23 14:50 ` [PATCH mm v5 1/9] memcg: enable accounting for struct cgroup Vasily Averin
2022-06-23 14:50 ` [PATCH mm v5 2/9] memcg: enable accounting for kernfs nodes Vasily Averin
2022-06-23 14:51 ` [PATCH mm v5 3/9] memcg: enable accounting for kernfs iattrs Vasily Averin
2022-06-13 5:34 ` [PATCH mm v4 1/9] memcg: enable accounting for struct cgroup Vasily Averin
2022-06-13 5:34 ` [PATCH mm v4 2/9] memcg: enable accounting for kernfs nodes Vasily Averin
2022-06-13 5:34 ` [PATCH mm v4 3/9] memcg: enable accounting for kernfs iattrs Vasily Averin
[not found] ` <cover.1653899364.git.vvs@openvz.org>
2022-05-30 11:25 ` [PATCH mm v3 1/9] memcg: enable accounting for struct cgroup Vasily Averin
2022-05-30 11:26 ` [PATCH mm v3 2/9] memcg: enable accounting for kernfs nodes Vasily Averin
2022-05-30 11:26 ` [PATCH mm v3 3/9] memcg: enable accounting for kernfs iattrs Vasily Averin
2022-05-30 11:26 ` [PATCH mm v3 4/9] memcg: enable accounting for struct simple_xattr Vasily Averin
2022-05-30 11:26 ` [PATCH mm v3 5/9] memcg: enable accounting for percpu allocation of struct psi_group_cpu Vasily Averin
2022-05-30 11:26 ` [PATCH mm v3 6/9] memcg: enable accounting for percpu allocation of struct cgroup_rstat_cpu Vasily Averin
2022-05-30 15:04 ` Muchun Song
[not found] ` <a1fcdab2-a208-0fad-3f4e-233317ab828f@openvz.org>
2022-05-30 15:06 ` [PATCH mm v3 9/9] memcg: enable accounting for perpu allocation of struct rt_rq Muchun Song
2022-05-21 16:37 ` [PATCH mm v2 1/9] memcg: enable accounting for struct cgroup Vasily Averin
2022-05-22 6:37 ` Muchun Song
2022-05-21 16:37 ` [PATCH mm v2 2/9] memcg: enable accounting for kernfs nodes Vasily Averin
2022-05-22 6:37 ` Muchun Song
2022-05-21 16:37 ` [PATCH mm v2 3/9] memcg: enable accounting for kernfs iattrs Vasily Averin
2022-05-22 6:38 ` Muchun Song
2022-05-21 16:38 ` [PATCH mm v2 4/9] memcg: enable accounting for struct simple_xattr Vasily Averin
2022-05-22 6:38 ` Muchun Song
2022-05-21 16:38 ` [PATCH mm v2 5/9] memcg: enable accounting for percpu allocation of struct psi_group_cpu Vasily Averin
2022-05-21 21:34 ` Shakeel Butt
2022-05-22 6:40 ` Muchun Song
2022-05-25 1:30 ` Roman Gushchin
[not found] ` <c0d01d6e-530c-9be3-1c9b-67a7f8ea09be@openvz.org>
2022-05-21 17:58 ` [PATCH mm v2 6/9] memcg: enable accounting for percpu allocation of struct cgroup_rstat_cpu Vasily Averin
2022-05-21 21:35 ` Shakeel Butt
2022-05-21 22:05 ` kernel test robot
2022-05-25 1:31 ` Roman Gushchin
[not found] ` <d7094aa2-1cd0-835c-9fb7-d76003c47dad@openvz.org>
2022-05-21 21:37 ` [PATCH mm v2 9/9] memcg: enable accounting for percpu allocation of struct rt_rq Shakeel Butt
2022-05-25 1:31 ` Roman Gushchin
[not found] ` <9925d0ba-40d7-e3a8-1fef-054968b26ce6@openvz.org>
2022-05-22 6:47 ` [PATCH mm v2 7/9] memcg: enable accounting for large allocations in mem_cgroup_css_alloc Muchun Song
[not found] ` <46bbde64-7290-cabb-8fef-6f4a30263d8c@openvz.org>
2022-05-22 6:49 ` [PATCH mm v2 8/9] memcg: enable accounting for allocations in alloc_fair_sched_group Muchun Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YpdkHrbT/xkdx+Qb@dhcp22.suse.cz \
--to=mhocko@suse.com \
--cc=akpm@linux-foundation.org \
--cc=cgroups@vger.kernel.org \
--cc=kernel@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mkoutny@suse.com \
--cc=roman.gushchin@linux.dev \
--cc=shakeelb@google.com \
--cc=songmuchun@bytedance.com \
--cc=vbabka@suse.cz \
--cc=vvs@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox