Menu

Tree [r11] /
 History

HTTPS svn://
HTTPS access

File Date Author Commit
 configuration 2007-10-16 shindepravin [r10] revision-10 included
 HACKING 2007-10-16 shindepravin [r10] revision-10 included
 INSTALL 2007-10-16 shindepravin [r10] revision-10 included
 Makefile 2007-10-16 shindepravin [r10] revision-10 included
 README 2007-10-16 shindepravin [r10] revision-10 included
 classification_enforcer.c 2007-10-16 shindepravin [r10] revision-10 included
 classifier.c 2007-10-16 shindepravin [r10] revision-10 included
 container_specifications.c 2007-10-16 shindepravin [r10] revision-10 included
 userspace_classifier.h 2007-10-16 shindepravin [r10] revision-10 included
 userspace_listener.c 2007-10-16 shindepravin [r10] revision-10 included

Read Me

CPUSET :

CPUSETs are lightweight objects in the linux kernel that enable 
users to partition their resources by creating resource groups.
A virtualization layer has been added so it becomes possible to split a 
machine in terms of CPUs. The main motivation of this patch is to give 
the linux kernel full administration capabilities concerning CPUs. To make 
it possible, different CPUSETS are defined with different (or overlapping)
group of resource and each process is classfied to one of these CPUSET.
All processes belonging to one CPUSET class, will share all the resources
available with that CPUSET among each other. This way, we can create
different CPUSET's and classify the processes in them so that critical
processes will easily get needed resources.

=======================================================================
PROBLEM :

In order to classify the processes in these CPUSET's, one need to get
their PID's, and add it to perticular file in the directory indicating 
the required CPUSET. Here, classification is not possible until
process is actually created. And if process restarts, then it should 
be re-classified, as its PID will change. Simillarly, after every
reboot classification has to be re-done.

So, one need to do lot of, repetative and mannual classification of 
processes if one wants to use CPUSET effectively.

======================================================================
SOLUTION :

If we can classify processes without using PID, and if classification 
remains same even after process restarts or machine restarts then
we can automate most of the work.

Also classification should be very flexible. So that it can cover
all posibilities and scenarios.

=====================================================================
PCSS : (Process Classifier based on Selinux Security-contex)

PCSS uses SELinux security contexts to classify the processes. Security
contexts remain same even if process restarts or even machine restarts.
In addition, selinux security contexts are quite flexible. 


PCSS is a userspace process classifier that groups all processes 
based on their SElinux security-context. Whenever a new process
is created, the SElinux security_context will be associated with 
it(SElinux module should be enable in your kernel).
Now, we can classify the porcess on the basis securtiy_context to 
decide in which CPUSET this process should go. PCSS is entirely 
implemented in userspace and requires no modification to kernel code.
That makes PCSS more easy to use.

=====================================================================
DETAILS

We are using Connector (A Linux Kernel feature) which reports process
events to userspace. It uses netlink mechanism and your kernel should 
be build with it.

This kernel feature will report process events like fork and exec.
Whenever these events are reported, one userspace program named
"userspace_listener.c" will receive these events.
Now we can find out the security context of the process related
to the event from SELinux kernel module. We are using system call
"getpidcon" to get the security context from kernel.

This security context is then matched with the rules given by users
for the classification. These rules are very simple and are kept
seperately in one text file in following format.
<security_context> <name_of_cpuset_class_it_should_go>

If security context of current process matches to any security context
provided by user rules, then current process can be classified into 
that class.

The classification is then enforced by requesting kernel to change
the cpuset of current process to new cpuset. This is done by means 
of system calls.


	         KERNEL SPACE           |             USER SPACE
        	                        |
                	                |
                        	        |       ---------------------              ******************
	          Process Events  1. NETLINK   |    Userspace Daemon |---------->* Configuration file *   
      	          connector       -----------> |     jobs manager    |<----------*                    *
					|        --------------------		   ******************
        	                        |        2.|   ^      4.|         
        	                        |          |   |        |                	   
                	                |          |   |     	|              		   	
                  *********             |          |   |     	|             
	         * SELinux *  <--------------------    |	|            
                  *********            	|              |     	|            
                   3.|    		|    	       |        |
                     |                  |              |        |
		     ----------------------------------         |
                             	        |                       |
                                        |                       |          
		 *********		|			|	  
	        * CPUSETfs*   <----------------------------------	   
                 *********              |   				   	
		  5.|		        |				   
                    |                   |                                  
		    |			|                                  
                    V                   |                                  
                 ********************   |                             
     	        * CPUSETs (Classified)* |
                 ********************   |               
                                        |               

=====================================================================
PCSS Scope

PCSS can be used in any system that requires Porcess grouping or 
 classification,like:

	- CKRM ( resource management system ) 
	            : Integration had been done, but CKRM is outdated now.
        - CPUSET ( resource management for multiprocessor system ) 
	            : This implementation is integration with CPUSET.
	- ELSA ( accounting system ) 
	            : A patch has been created for integrated.
		      ( Location : )
	- Containers ( future of resource manangement systems ) 
	            : Looking forward to make this integration.

========================================================================
Why SELinux ?

We used SElinux security context for classification because :
1. They are persistant (i.e. they will remain same even after reboots)
2. They are flexible 
      (i.e. Security context will differ depending on who is executing,
       which program is being executed, and in what context it has 
       been executed )
3. They are configurable 
            (i.e. you can change selinux policies to set selinux 
	    contexts as per your needs. There are many user-friendly 
	    tools which helps in giving security context i.e. "seedit")
4. We provide added flexibility by supporting wild-characters in 
            security context

=====================================================================

NOTE :

To enable PCSS for CPUSET in your system, you need to have support
for Connecors, SELinux and CPUSET built in your kernel.

By default, every new process gets parent SElinux 
security_context and  goes in the same CPUSET in which parent process 
exist. Which is same is default behaviour of CPUSET.