From: Chen Ridong <chenridong@huaweicloud.com>
To: Andrei Vagin <avagin@gmail.com>
Cc: "Andrei Vagin" <avagin@google.com>, "Kees Cook" <kees@kernel.org>,
linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-mm@kvack.org, cgroups@vger.kernel.org,
criu@lists.linux.dev, "Tejun Heo" <tj@kernel.org>,
"Johannes Weiner" <hannes@cmpxchg.org>,
"Michal Koutný" <mkoutny@suse.com>,
"Vipin Sharma" <vipinsh@google.com>,
"Jonathan Corbet" <corbet@lwn.net>
Subject: Re: [PATCH 0/3] cgroup/misc: Add hwcap masks to the misc controller
Date: Fri, 5 Dec 2025 18:04:25 +0800 [thread overview]
Message-ID: <bc10cdcb-840f-400e-85b8-3e8ae904f763@huaweicloud.com> (raw)
In-Reply-To: <CANaxB-x5qVv_yYR7aYYdrd26uFRk=Zsd243+TeBWMn47wi++eA@mail.gmail.com>
On 2025/12/5 14:39, Andrei Vagin wrote:
> On Thu, Dec 4, 2025 at 6:52 PM Chen Ridong <chenridong@huaweicloud.com> wrote:
>>
>>
>>
>> On 2025/12/5 8:58, Andrei Vagin wrote:
>>> This patch series introduces a mechanism to mask hardware capabilities
>>> (AT_HWCAP) reported to user-space processes via the misc cgroup
>>> controller.
>>>
>>> To support C/R operations (snapshots, live migration) in heterogeneous
>>> clusters, we must ensure that processes utilize CPU features available
>>> on all potential target nodes. To solve this, we need to advertise a
>>> common feature set across the cluster. This patchset allows users to
>>> configure a mask for AT_HWCAP, AT_HWCAP2. This ensures that applications
>>> within a container only detect and use features guaranteed to be
>>> available on all potential target hosts.
>>>
>>
>> Could you elaborate on how this mask mechanism would be used in practice?
>>
>> Based on my understanding of the implementation, the parent’s mask is effectively a subset of the
>> child’s mask, meaning the parent does not impose any additional restrictions on its children. This
>> behavior appears to differ from typical cgroup controllers, where children are further constrained
>> by their parent’s settings. This raises the question: is the cgroup model an appropriate fit for
>> this functionality?
>
> Chen,
>
> Thank you for the question. I think I was not clear enough in the
> description.
>
> The misc.mask file works by masking out available features; any feature
> bit set in the mask will not be advertised to processes within that
> cgroup. When a child cgroup is created, its effective mask is a
> combination of its own mask and its parent's effective mask. This means
> any feature masked by either the parent or the child will be hidden from
> processes in the child cgroup.
>
> For example:
> - If a parent cgroup masks out feature A (mask=0b001), processes in it
> won't see feature A.
> - If we create a child cgroup under it and set its mask to hide feature
> B (mask=0b010), the effective mask for processes in the child cgroup
> becomes 0b011. They will see neither feature A nor B.
>
Let me ask some basic questions:
When is the misc.mask typically set? Is it only configured before starting a container (e.g., before
docker run), or can it be adjusted dynamically while processes are already running?
I'm concerned about a potential scenario: If a child process initially has access to a CPU feature,
but then its parent cgroup masks that feature out, could the child process remain unaware of this
change?
Specifically, if a process has already cached or relied on a CPU capability before the mask was
applied, would it continue to assume it has that capability, leading to potential issues if it
attempts to use instructions that are now masked out?
Does such a scenario exist in practice?
> This ensures that a feature hidden by a parent cannot be re-enabled by a
> child. A child can only impose further restrictions by masking out
> additional features. I think this behaviour is well aligned with the cgroup
> model.
>
> Thanks,
> Andrei
--
Best regards,
Ridong
next prev parent reply other threads:[~2025-12-05 10:04 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-05 0:58 Andrei Vagin
2025-12-05 0:58 ` [PATCH 1/3] cgroup, binfmt_elf: " Andrei Vagin
2025-12-05 3:40 ` Kees Cook
2025-12-05 10:10 ` Chen Ridong
2025-12-05 0:58 ` Andrei Vagin
2025-12-05 0:58 ` [PATCH 2/3] selftests/cgroup: Add a test for the misc.mask cgroup interface Andrei Vagin
2025-12-05 0:58 ` [PATCH 3/3] Documentation: cgroup-v2: Document misc.mask interface Andrei Vagin
2025-12-05 2:52 ` [PATCH 0/3] cgroup/misc: Add hwcap masks to the misc controller Chen Ridong
2025-12-05 6:39 ` Andrei Vagin
2025-12-05 10:04 ` Chen Ridong [this message]
2025-12-05 20:19 ` Andrei Vagin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc10cdcb-840f-400e-85b8-3e8ae904f763@huaweicloud.com \
--to=chenridong@huaweicloud.com \
--cc=avagin@gmail.com \
--cc=avagin@google.com \
--cc=cgroups@vger.kernel.org \
--cc=corbet@lwn.net \
--cc=criu@lists.linux.dev \
--cc=hannes@cmpxchg.org \
--cc=kees@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mkoutny@suse.com \
--cc=tj@kernel.org \
--cc=vipinsh@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox