From: Marc E. Fiuczynski (mef_at_CS.Princeton.EDU)
Date: Thu 08 Jul 2004 - 09:00:46 BST
The vserver context id (called xid) is part of the task_struct. The mod to
rbce sounds pretty straightforward, but I will take you up on your offer to
From: Hubertus Franke [mailto:frankeh_at_watson.ibm.com]
Sent: Wednesday, July 07, 2004 5:25 PM
Subject: Re: [ckrm-tech] rule based classification
Marc, in a nutshell, the RBCE is a list of rules
that are evaluated on classification invocation.
Rules consist of a set of rule terms and a target class. A rule term
specifies one particular kernel object attribute, a comparision operator
(=,<,>,!) and a value expression. To speed up the classification process
we maintain state with tasks about which rules and rule terms have been
examined for a particular task and only reexamine those terms that are
indicated by the event.
RBCE provides rules based on task parameters ((pid, gid, uid,
executable) and socket information (IP info). The rules in conjunction
with the defined classes constitute a site policy for workload managment
and is dynamically changable (See user interface section) into the RBCE.
Hence, this approach ensures the separation of policy and enforcement.
Assuming that the vserver context ID is accessible from the task struct,
what you need to do, is define a new RULE_TERM_OPERATOR, add a new case
statement under evaluate_rule. One also needs to deal with the rbce
bitvector optimization, requiring a few more case statements (if at
all). This is pretty straight forward. If you give me the field I can
see whether I can help you out with this.
Hope this helps..
Marc E. Fiuczynski wrote:
> Could someone give me an overview of how the rbce works? Specifically, I
> interested in modifying the rbce kernel support to be "vserver context ID"
> aware. The main problem that I need to solve is that uid/gid's are not
> unique across vserver contexts. E.g., UID 501 in context 2 and UID 501 in
> context 3 are not the same thing, while rbce/ckrm would treat them as the
> My thought is to enhance rbce/ckrm such that for a non-vserver enhanced
> kernel, it always assumes that context=0. While for a vserver enhanced
> kernel it will distinguish UID/GIDs by their context IDs.
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit www.blackhat.com
> ckrm-tech mailing list
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
digital self defense, top technical experts, no vendor pitches,
unmatched networking opportunities. Visit www.blackhat.com
ckrm-tech mailing list
Vserver mailing list