On Fr, 15.02.19 13:42, Zygmunt Krynicki (m...@zygoon.pl) wrote: > > The "devices" cgroup controller is generally not available on > > cgroupsv2. However, there's now a set of bpf hook-ups that you can use > > instead and provide pretty much equivalent functionality. (systemd > > supports them already). > > Indeed, the is a possible way out. It requires some thought on our > side to integrate with our current use of v1 devices cgroup, udev > rules, snapd side „hot plug” and live changes to running programs > (which v1 devices allowed).
The bpf devices thing allows live changes too. In fact, in the bpf logic in systemd it's implemented that way already. > > The "freezer" cgroup controller is not available yet on cgroupsv2. But > > this is likely going to change soon, but it will be core cgroupsv2 > > functionality, not a controller of its own. Until the freezer becomes > > available it should be completely fine to simply use SIGSTOP instead, > > semantics are not thaaaaat different. > > We use the freezer for „snap scope” process enumeration (but there > are other ways to do that) and to crucially, stop processes while we > perform some mount namespace updates, so that there’s less risk of > apps attacking the mount code with racing symlinks and what > not. Using SIGSTOP for that is, I guess, okay, as long as we can > „win” and stop all processes in a given snap reliably enough. Well, the SIGSTOP thing is racy: processes can fork() quicker than you can pause them. Together with the pids controller you should be fine though, as you can put a limit on forks. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
