iholder101
commented
3 years ago P.S. - I also sent a message to community dev channel. Thanks @kolyshkin for directing me here.
Open iholder101 opened 3 years ago
iholder101
commented
3 years ago P.S. - I also sent a message to community dev channel. Thanks @kolyshkin for directing me here.
kolyshkin
commented
3 years ago @cyphar is the expert here.
AFAIK there's no way to get current rules for v2/eBPF, meaning you're right that you need to keep the previous set of rules....
iholder101
commented
3 years ago The question is whether it's reasonable to have this feature supported in runc. We can solve it in Kubevirt, but I think many other runc users would want this behavior, don't you think?
iholder101
commented
3 years ago Any thoughts @cyphar?
iholder101
commented
2 years ago @cyphar @kolyshkin It's been some time. Any thoughts?
kolyshkin
commented
2 years ago Alas I can't add anything to what I've said earlier. If you have any proposal, feel from to open a PR @iholder-redhat
iholder101
commented
2 years ago Alas I can't add anything to what I've said earlier. If you have any proposal, feel from to open a PR @iholder-redhat
My proposal is fairly simple - saving currently defined rules in some kind of a structure (e.g. map). Then, on any request, add the past rules that are not being overriden explicitly.
In Kubevirt I've implemented it here so a same approach can be taken.
p.s. Although this is only crucial for v2 (as with v1 it's fairly easy to find out which rules are currently defined) I think this should be supported agnostically for both versions.
Hello,
I'm Itamar, a Kubevirt developer.
In Kubevirt we use runc to manage and control containers' cgroup definitions. One of our main uses is the devices subsystem. I'm currently working on supporting cgroups v2 but facing a problem that you may help me with.
The problem is that currently when setting a device rule through cgroups "Manager" interface, the behavior is that all previously defined rules are deleted. That makes things more difficult as usually when a rule is requested (e.g. allow to create certain device) we do not expect that every other definition will be discarded.
With v1 though this is easily solvable. We can read currently defined cgroup rules easily, override only old versions of currently requested rules, and append all others to the current request. With v2 life is more difficult as there is no straightforward way to get the currently defined rules.
Of course we can also solve this by "remembering" our previously requested rules, but I assume that many other runc users would need the ability to append a rule to currently defined rules. Since reading eBPF code and de-compiling it to device rules sounds like a very non-trivial task, maybe the best approach is to save previous requests at the Manager level for both v1 and v2. Behavior can be configurable through "configs.Cgroup".
Does this make sense? What do you think?