On Tue, Nov 17, 2020 at 12:40 PM Kyle Evans <kev...@freebsd.org> wrote: > > Hello! > > I've done some work to try and make qemu-user-static honor cpuset and > advertise a fake hw.ncpu to emulated processes based on the number of > cpus actually available to it. > > In doing so, I discovered that created jail's inherit the parent > jail's cpuset mask, rather than the creating process. This is OK for > persistent jails, as one can create the jail, cpuset(1), then jexec > whatever tasks they want to do; but jails that would otherwise not be > persistent have to either deal with racy cpuset(1) after creation or > settle for instead creating a persistent jail because they need a > specific cpuset. > > I've got this patch that I'd like to propose[0], but it's unclear if > it's really OK to do or if anyone else cares about this. I can't see > any theoretical problem with it off-hand, as the creating thread > should be guaranteed to have a cpuset that's valid as a child of the > parent prison's cpuset. > > The patch creates a new poorly-named cpuset_create_root_td KPI to > inherit the cpuset from the creating thread, and leaves the previous > KPI intact in case something else is using it or to leave the door > open to adding an option to go either way with this (inherit from > parent jail vs. inherit from thread). > > From a MAC perspective, I think it makes a lot of sense to inherit > from the thread by default. e.g. a non-root user could be granted > PRIV_JAIL_SET, then they're freely able to create jails using the > parent jail's root cpuset even if they've been limited themselves via > login.conf(5) restriction. > > For most existing use-cases, it should effectively be a nop unless > they were cpuset(1)ing a process not expecting the created jail to > inherit that. > > Thoughts? Thanks, > > Kyle Evans >
I've pushed a pair of reviews derived from my impression of Jamie's response: https://reviews.freebsd.org/D27297 https://reviews.freebsd.org/D27298 The former supports the latter, the latter effectively appropriately 'rebases' a process cpuset into the jail when it attaches rather than the administrative action of replacing a process cpuset. Thanks, Kyle Evans _______________________________________________ freebsd-jail@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-jail To unsubscribe, send any mail to "freebsd-jail-unsubscr...@freebsd.org"
