FS#16715 : [kernel26] Request for the needed Linux Container kernel options to be enabled by default

FS#16715 - [kernel26] Request for the needed Linux Container kernel options to be enabled by default

Attached to Project: Arch Linux
Opened by Dwight Schauer (dschauer) - Sunday, 18 October 2009, 04:06 GMT
Last edited by Tobias Powalowski (tpowa) - Saturday, 27 February 2010, 14:48 GMT

Task Type	Feature Request
Category	Kernel
Status	Closed
Assigned To	Tobias Powalowski (tpowa) Aaron Griffin (phrakture) Thomas Bächler (brain0)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	13 Christian Brauner (brauner) (2015-02-26) T L (anykey) (2010-02-11) tuxce (tuxce) (2010-01-29) Hans Eriksson (the_slain_man) (2010-01-27) Jonathan Liu (net147) (2010-01-19) Ralf Schmitt (schmir) (2010-01-18) Jon Nordby (jonnor) (2009-12-14) Philip Dubois (heazky) (2009-10-21) Dwight Schauer (dschauer) (2009-10-21) Andrea Zucchelli (zukka) (2009-10-21) C Anthony Risinger (extofme) (2009-10-21) Paweł Koper (koper) (2009-10-19) Shridhar Daithankar (ghodechhap) (2009-10-18)
Private	No

Details

Now that LXC (Linux Containers) are mainstream, I'm requesting that the needed configuration options be enabled in the default container, so that linux containers are available out of the box, so that one does not have to maintain a custom kernel/nvidia/other packages.

# Needed for LXC. See http://lxc.sourceforge.net/lxc.html
CONFIG_GROUP_SCHED=y
CONFIG_FAIR_GROUP_SCHED=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_CGROUP_SCHED=y
CONFIG_CGROUPS=y
CONFIG_CGROUP_NS=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CPUSETS=y
CONFIG_PROC_PID_CPUSET=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_RESOURCE_COUNTERS=y
CONFIG_CGROUP_MEM_RES_CTLR=y
CONFIG_CGROUP_MEM_RES_CTLR_SWAP=y
CONFIG_MM_OWNER=y
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_NET_CLS_CGROUP=y

# The following should already be turned on.
CONFIG_SECURITY_FILE_CAPABILITIES=y

# The following would also be nice.
CONFIG_SECURITY_SMACK=y
# http://www.ibm.com/developerworks/linux/library/l-lxc-security/index.html

This task depends upon

Closed by Tobias Powalowski (tpowa)
Saturday, 27 February 2010, 14:48 GMT
Reason for closing: Fixed
Additional comments about closing: 2.6.33

Comment by Shridhar Daithankar (ghodechhap) - Sunday, 18 October 2009, 05:02 GMT

And dwight didn't add this :) http://lxc.teegra.net/

Shridhar

Comment by Thomas Bächler (brain0) - Sunday, 18 October 2009, 10:12 GMT

We won't enable SMACK again - we tried once and several machines didn't work right for reasons I didn't bother to investigate.

As for the rest, I never knew what they were about - are there any drawbacks in enabling them?

Comment by Dwight Schauer (dschauer) - Sunday, 18 October 2009, 14:03 GMT

Alright on the SMACK issue. For typical Linux container setups it is not needed, it is only necessary when trying to really lock down a container. And yes a quick search shows that others have had issues with CONFIG_SECURITY_SMACK=y as well. If I really needed that kind of security I would not mind maintaining a separate kernel PKGBUILD.

As far as drawbacks of enabling the configs required for LXC, I'm not aware of any. As far as I know the only thing that uses them is the LXC userspace tools to setup containers. I have these enabled on 2 machines and have not had any issues, I'm about to them to 4 or 5 more as I plan to start using Linux containers a lot more. I was using OpenVZ, but it is unlikely that will ever make it to recent kernels any time soon or ever make into into the mainstream kernel code as Linux containers is already in there and is a lot more flexible.

Prior to 2.6.29 most of these features were only available as patches to the mainstream kernel.

I'll ask about any potential drawbacks on the Linux Containers mailing list.

Comment by Dwight Schauer (dschauer) - Sunday, 18 October 2009, 15:54 GMT

From the linux container's mailing list on this subject. See https://lists.linux-foundation.org/pipermail/containers/2009-October/021403.html for the rest of the thread.

On Sun, Oct 18, 2009 at 10:44 AM, Daniel Lezcano <daniel.lezcano@free.fr> wrote:
In general the cgroup adds a small overhead at fork/exit when a subsystem make use of the cgroup_callbacks, for example the freezer. But that can be considered as negligeable.

CONFIG_GROUP_SCHED=y
CONFIG_FAIR_GROUP_SCHED=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_CGROUP_SCHED=y
CONFIG_CGROUPS=y
CONFIG_CGROUP_NS=y
CONFIG_CGROUP_FREEZER=y

This one does not add any overhead.

CONFIG_CGROUP_DEVICE=y

For these ones, I don't know.

CONFIG_CPUSETS=y
CONFIG_PROC_PID_CPUSET=y

AFAIR these following options add some overhead especially the memory resource controller.

CONFIG_CGROUP_CPUACCT=y
CONFIG_RESOURCE_COUNTERS=y
CONFIG_CGROUP_MEM_RES_CTLR=y
CONFIG_CGROUP_MEM_RES_CTLR_SWAP=y
CONFIG_MM_OWNER=y

The overhead and footprint of the following options are neligeable

CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_NET_CLS_CGROUP=y

This one, no overhead.
CONFIG_SECURITY_FILE_CAPABILITIES=y

Comment by Dwight Schauer (dschauer) - Sunday, 18 October 2009, 17:18 GMT

CONFIG_DEVPTS_MULTIPLE_INSTANCES=y

Would also be useful: Support multiple instances of devpts

http://cateee.net/lkddb/web-lkddb/DEVPTS_MULTIPLE_INSTANCES.html
http://blog.flameeyes.eu/2009/08/10/some-more-notes-about-linux-containers

Comment by Dwight Schauer (dschauer) - Tuesday, 27 October 2009, 16:19 GMT

FYI, more from the Linux containers maling list concerning some of these configuration options.
https://lists.linux-foundation.org/pipermail/containers/2009-October/021616.html

On Tue, Oct 27, 2009 at 3:42 AM, KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> wrote:
> On Sun, 18 Oct 2009 17:44:31 +0200
> Daniel Lezcano <daniel.lezcano@free.fr> wrote:
>
>> AFAIR these following options add some overhead especially the memory resource controller.
>>
>> CONFIG_CGROUP_CPUACCT=y
>> CONFIG_RESOURCE_COUNTERS=y
>> CONFIG_CGROUP_MEM_RES_CTLR=y
>> CONFIG_CGROUP_MEM_RES_CTLR_SWAP=y
>> CONFIG_MM_OWNER=y
>>
>>
> sorry, memcg's performance fix is now tested under -mm kernel.
> plz wait for 2.6.33 ;(
>
> Thanks,
> -Kame

Comment by Shridhar Daithankar (ghodechhap) - Friday, 04 December 2009, 00:40 GMT

Will this be added to 2.6.32?

Shridhar

Comment by Tobias Powalowski (tpowa) - Friday, 04 December 2009, 07:21 GMT

due to permormance issue it will be added to .33 series.

Comment by Dwight Schauer (dschauer) - Monday, 14 December 2009, 15:47 GMT

CONFIG_DEVPTS_MULTIPLE_INSTANCES is needed.

Comment by Hans Eriksson (the_slain_man) - Thursday, 18 February 2010, 12:29 GMT

So archlinux kernel26 version 2.6.33 will be lxc enabled?

Comment by Jonathan Liu (net147) - Thursday, 25 February 2010, 12:19 GMT

Would now be a good time to add the options for LXC to the kernel26 2.6.33 package?

Comment by Dwight Schauer (dschauer) - Thursday, 25 February 2010, 13:03 GMT

Here are a summary of the needed LXC options that would be nice if they made it into the 2.6.33 kernel package.

CONFIG_GROUP_SCHED=y
CONFIG_FAIR_GROUP_SCHED=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_CGROUP_SCHED=y
CONFIG_CGROUPS=y
CONFIG_CGROUP_NS=y
CONFIG_CGROUP_FREEZER=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CPUSETS=y
CONFIG_PROC_PID_CPUSET=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_RESOURCE_COUNTERS=y
CONFIG_CGROUP_MEM_RES_CTLR=y
CONFIG_CGROUP_MEM_RES_CTLR_SWAP=y
CONFIG_MM_OWNER=y
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
CONFIG_NET_CLS_CGROUP=y
CONFIG_DEVPTS_MULTIPLE_INSTANCES=y

# The following should already be turned on.
CONFIG_SECURITY_FILE_CAPABILITIES=y

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#16715 - [kernel26] Request for the needed Linux Container kernel options to be enabled by default

Details

Loading...