Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

As a system administrator, I would like to use Linux cgroup restrictions to configure the GEOPM service #1685

Open
cmcantalupo opened this issue Jun 17, 2021 · 1 comment · May be fixed by #2551
Open

As a system administrator, I would like to use Linux cgroup restrictions to configure the GEOPM service #1685

cmcantalupo opened this issue Jun 17, 2021 · 1 comment · May be fixed by #2551
Assignees
@Krebrov001
Labels
2.1 geopm-service geopm-service-sec story

Comments

@cmcantalupo
Copy link
Contributor

Use Linux cgroups(7) to filter signal and control requests based on cgroup restrictions on the client PID, in particular the "cpuset" should be pretty straight forward to implement. We may also want to consider accounting for other restrictions such as "rdma", "io", or "perf_event".
@cmcantalupo cmcantalupo changed the title As a system administrator deploying the GEOPM service, I would like to be able to use Linux cgroup restrictions to restrict access As a system administrator deploying the GEOPM service, I would like to be able to use Linux cgroup restrictions to configure the GEOPM service Jun 17, 2021
@cmcantalupo cmcantalupo changed the title As a system administrator deploying the GEOPM service, I would like to be able to use Linux cgroup restrictions to configure the GEOPM service As a system administrator, I would like to be able to use Linux cgroup restrictions to configure the GEOPM service Jun 17, 2021
@cmcantalupo cmcantalupo changed the title As a system administrator, I would like to be able to use Linux cgroup restrictions to configure the GEOPM service As a system administrator, I would like to use Linux cgroup restrictions to configure the GEOPM service Jun 17, 2021
@cmcantalupo cmcantalupo added this to the Version 2.0 milestone Mar 23, 2022
@cmcantalupo cmcantalupo added 2.0 Major version features (remove/modify interface) 2.1 and removed 2.0 Major version features (remove/modify interface) labels Mar 23, 2022
@cmcantalupo cmcantalupo removed this from the Version 2.0 milestone Mar 23, 2022
@cmcantalupo
Copy link
Contributor Author

cmcantalupo commented Jul 13, 2022
edited

A PIO request comes with a "domain" and "domain index". Use the python interface geopmdpy.topo.domain_nested('cpu', domain, domain_idx) to create a cpu mask to compare against the cgroup restriction for the calling process. If a request to read or write is made for a cpu that is not in the cgroup cpuset, then the request should be denied.

One place where this check would be made is here:

https://github.com/geopm/geopm/blob/dev/service/geopmdpy/service.py#L585-L587

in addition to checking the allowed list, also check the PID's cpuset from the cgroup:

grep cpuset /proc/self/cgroup

These checks would be made each place the allowed list was checked (read, write, push_signal, push_control).

@Krebrov001 Krebrov001 self-assigned this Jul 15, 2022
@cmcantalupo cmcantalupo linked a pull request Aug 11, 2022 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Krebrov001 Krebrov001

Labels
2.1 geopm-service geopm-service-sec story
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add check against cgroup cpuset when client makes request through service cmcantalupo/geopm
2 participants
@cmcantalupo @Krebrov001