On Mon, Nov 14, 2016 at 12:35:17PM +0100, Lennart Poettering wrote: > On Sat, 12.11.16 07:43, Topi Miettinen (toiwo...@gmail.com) wrote: > > > On 11/11/16 20:09, Lennart Poettering wrote: > > > I have no idea what "slurm" is, but do note that the "devices" cgroup > > > controller has no future, it is unlikely to ever become available in > > > cgroupsv2. > > > > This is unwelcome news, I think it is a simple and well contained MAC > > that has been available in systems without a full blown MAC like SELinux > > and with systemd support it has been very easy to set up. What will > > happen to DevicePolicy, DeviceAllow etc. directives? Or will systemd > > stick to cgroupsv1 forever? > > No, our plan is to switch to cgroupsv2 as default as quickly as we > can. Where "quickly as we can" means mostly: the "cpu" controllers is > ported to cgroupsv2 in vanilla kernels. > > The thing with the "devices" cgroup controller is that it is not about > resource control, but about access control, and hence should not live > in "cgroups" at all, but in some other framework. "cgroups" is all > about dynamic resource control and accounting, but "devices" doesn't > fit that at all, hence it should move elsewhere. > > We'll keep DeviceAllow/DevicePolicy around for now, and there's a TODO > list item to implement at least the "m" part of it via seccomp, as a > second level of protection that will still work even if cgroupsv2 is > used. I think in the long run it might make sense to also do the "rw" > part of it somehow in the kernel, via some new kernel subsystem, but > we'll have to see if and how this will be implemented.
Since there is support for stackable LSM's now, I could see the cgroup devices ACL feature being replaced with a new LSM. I imagine if stackable LSMs had been supported back in cgroup v1 days, it probably would have been done that way in the first place instead of adding MAC to cgroups. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :| _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
