mbox series

[v2,0/2] pid_namespace: namespacify sysctl kernel.pid_max

Message ID 20241122132459.135120-1-aleksandr.mikhalitsyn@canonical.com
Headers show
Series pid_namespace: namespacify sysctl kernel.pid_max | expand

Message

Alexander Mikhalitsyn Nov. 22, 2024, 1:24 p.m. UTC
Dear friends,

this is just a rebase/small rework of original Christian Brauner's series
from:
https://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux.git/log/?h=pid_max_namespacing

Christian kindly allowed me to take these patches and resend after small modifications.

Current tree:
https://github.com/mihalicyn/linux/commits/pid_max_namespacing

Changelog for version 2:
- rebased from 6.7 to 6.12

Changelog (from original Christian's patches):
 - rebased from 5.14-rc1
 - a few fixes (missing ns_free_inum on error path, missing initialization, etc)
 - permission check changes in pid_table_root_permissions
 - unsigned int pid_max -> int pid_max (keep pid_max type as it was)
 - add READ_ONCE in alloc_pid() as suggested by Christian
[ it is here https://lore.kernel.org/lkml/20240222160915.315255-1-aleksandr.mikhalitsyn@canonical.com/#t ]

Original description from Christian:

The pid_max sysctl is a global value. For a long time the default value
has been 65535 and during the pidfd dicussions Linus proposed to bump
pid_max by default (cf. [1]). Based on this discussion systemd started
bumping pid_max to 2^22. So all new systems now run with a very high
pid_max limit with some distros having also backported that change.
The decision to bump pid_max is obviously correct. It just doesn't make
a lot of sense nowadays to enforce such a low pid number. There's
sufficient tooling to make selecting specific processes without typing
really large pid numbers available.

In any case, there are workloads that have expections about how large
pid numbers they accept. Either for historical reasons or architectural
reasons. One concreate example is the 32-bit version of Android's bionic
libc which requires pid numbers less than 65536. There are workloads
where it is run in a 32-bit container on a 64-bit kernel. If the host
has a pid_max value greater than 65535 the libc will abort thread
creation because of size assumptions of pthread_mutex_t.

That's a fairly specific use-case however, in general specific workloads
that are moved into containers running on a host with a new kernel and a
new systemd can run into issues with large pid_max values. Obviously
making assumptions about the size of the allocated pid is suboptimal but
we have userspace that does it.

Of course, giving containers the ability to restrict the number of
processes in their respective pid namespace indepent of the global limit
through pid_max is something desirable in itself and comes in handy in
general.

Independent of motivating use-cases the existence of pid namespaces
makes this also a good semantical extension and there have been prior
proposals pushing in a similar direction.
The trick here is to minimize the risk of regressions which I think is
doable. The fact that pid namespaces are hierarchical will help us here.

What we mostly care about is that when the host sets a low pid_max
limit, say (crazy number) 100 that no descendant pid namespace can
allocate a higher pid number in its namespace. Since pid allocation is
hierarchial this can be ensured by checking each pid allocation against
the pid namespace's pid_max limit. This means if the allocation in the
descendant pid namespace succeeds, the ancestor pid namespace can reject
it. If the ancestor pid namespace has a higher limit than the descendant
pid namespace the descendant pid namespace will reject the pid
allocation. The ancestor pid namespace will obviously not care about
this.
All in all this means pid_max continues to enforce a system wide limit
on the number of processes but allows pid namespaces sufficient leeway
in handling workloads with assumptions about pid values and allows
containers to restrict the number of processes in a pid namespace
through the pid_max interface.

Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Alexander Mikhalitsyn <aleksandr.mikhalitsyn@canonical.com>

Christian Brauner (2):
  pid: allow pid_max to be set per pid namespace
  tests/pid_namespace: add pid_max tests

 include/linux/pid.h                           |   3 -
 include/linux/pid_namespace.h                 |  10 +-
 kernel/pid.c                                  | 125 +++++-
 kernel/pid_namespace.c                        |  43 ++-
 kernel/sysctl.c                               |   9 -
 kernel/trace/pid_list.c                       |   2 +-
 kernel/trace/trace.h                          |   2 -
 kernel/trace/trace_sched_switch.c             |   2 +-
 .../selftests/pid_namespace/.gitignore        |   1 +
 .../testing/selftests/pid_namespace/Makefile  |   2 +-
 .../testing/selftests/pid_namespace/pid_max.c | 358 ++++++++++++++++++
 11 files changed, 521 insertions(+), 36 deletions(-)
 create mode 100644 tools/testing/selftests/pid_namespace/pid_max.c