subject:"Re\: \[PATCH 7\/9\] sock, cgroup\: add sock\->sk

Re: [PATCH 7/9] sock, cgroup: add sock->sk_cgroup

2015-11-23 Thread Daniel Wagner

Hi Tejun,

On 11/21/2015 05:13 PM, Tejun Heo wrote:
> Signed-off-by: Tejun Heo 
> Cc: Daniel Borkmann 
> Cc: Daniel Wagner 

I did a quick test and for new connection the cgroup2 match worked as
expected. For an existing connection I wasn't able to trigger the match.

It is quite likely I do something wrong:

ssh into the box
# mkdir /sys/fs/cgroup/test
# echo $$ > /sys/fs/cgroup/test/cgroup.procs
# echo $PPID > /sys/fs/cgroup/test/cgroup.procs
# iptables -A OUTPUT -m cgroup --path test

Should I see matches with the existing ssh session?

cheers,
daniel
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 7/9] sock, cgroup: add sock->sk_cgroup

2015-11-23 Thread Daniel Wagner

On 11/23/2015 04:48 PM, Tejun Heo wrote:
> On Mon, Nov 23, 2015 at 02:02:03PM +0100, Daniel Wagner wrote:
>> On 11/21/2015 05:13 PM, Tejun Heo wrote:
>>> Signed-off-by: Tejun Heo 
>>> Cc: Daniel Borkmann 
>>> Cc: Daniel Wagner 
>>
>> I did a quick test and for new connection the cgroup2 match worked as
>> expected. For an existing connection I wasn't able to trigger the match.
>>
>> It is quite likely I do something wrong:
>>
>>  ssh into the box
>>  # mkdir /sys/fs/cgroup/test
>>  # echo $$ > /sys/fs/cgroup/test/cgroup.procs
>>  # echo $PPID > /sys/fs/cgroup/test/cgroup.procs
>>  # iptables -A OUTPUT -m cgroup --path test
>>
>> Should I see matches with the existing ssh session?
> 
> Socket is associated with the creating cgroup and stays associated
> with that cgroup until it's released.  Migrating the process doesn't
> change the ownership of the sockets it has created.  This is in line
> with how other stateful resources such as memory are handled in
> cgroup2 hierarchy.

Thanks for the explanation. Looks good to me:

Tested-by: Daniel Wagner 
Acked-by: Daniel Wagner 

Thanks,
Daniel
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 7/9] sock, cgroup: add sock->sk_cgroup

2015-11-23 Thread Tejun Heo

Hello,

On Mon, Nov 23, 2015 at 02:02:03PM +0100, Daniel Wagner wrote:
> On 11/21/2015 05:13 PM, Tejun Heo wrote:
> > Signed-off-by: Tejun Heo 
> > Cc: Daniel Borkmann 
> > Cc: Daniel Wagner 
> 
> I did a quick test and for new connection the cgroup2 match worked as
> expected. For an existing connection I wasn't able to trigger the match.
> 
> It is quite likely I do something wrong:
> 
>   ssh into the box
>   # mkdir /sys/fs/cgroup/test
>   # echo $$ > /sys/fs/cgroup/test/cgroup.procs
>   # echo $PPID > /sys/fs/cgroup/test/cgroup.procs
>   # iptables -A OUTPUT -m cgroup --path test
> 
> Should I see matches with the existing ssh session?

Socket is associated with the creating cgroup and stays associated
with that cgroup until it's released.  Migrating the process doesn't
change the ownership of the sockets it has created.  This is in line
with how other stateful resources such as memory are handled in
cgroup2 hierarchy.

Thanks.

-- 
tejun
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 7/9] sock, cgroup: add sock->sk_cgroup

Re: [PATCH 7/9] sock, cgroup: add sock->sk_cgroup

Re: [PATCH 7/9] sock, cgroup: add sock->sk_cgroup

3 matches

Site Navigation

Mail list logo

Footer information