From patchwork Mon Dec 19 16:21:11 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim Gardner <tim.gardner@canonical.com>
X-Patchwork-Id: 132283
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from chlorine.canonical.com (chlorine.canonical.com
	[91.189.94.204]) by ozlabs.org (Postfix) with ESMTP id 0C5DEB7055
	for <incoming@patchwork.ozlabs.org>;
	Tue, 20 Dec 2011 03:21:32 +1100 (EST)
Received: from localhost ([127.0.0.1] helo=chlorine.canonical.com)
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1Rcfxl-0008RD-Sm; Mon, 19 Dec 2011 16:21:17 +0000
Received: from mail.tpi.com ([70.99.223.143])
	by chlorine.canonical.com with esmtp (Exim 4.71)
	(envelope-from <tim.gardner@canonical.com>) id 1Rcfxj-0008R7-Om
	for kernel-team@lists.ubuntu.com; Mon, 19 Dec 2011 16:21:16 +0000
Received: from [10.0.2.5] (host-174-45-40-59.gdj-co.client.bresnan.net
	[174.45.40.59])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mail.tpi.com (Postfix) with ESMTP id 6CE6D304670;
	Mon, 19 Dec 2011 08:20:35 -0800 (PST)
Message-ID: <4EEF6477.9020202@canonical.com>
Date: Mon, 19 Dec 2011 09:21:11 -0700
From: Tim Gardner <tim.gardner@canonical.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.23) Gecko/20110921 Thunderbird/3.1.15
MIME-Version: 1.0
To: Serge Hallyn <serge.hallyn@canonical.com>
Subject: Re: Lucid SRU - UBUNTU: SAUCE: netns: Add quota for number of NET_NS
	instances.
References: <4ED7F629.8070408@canonical.com> <4ED8021D.4050204@canonical.com>
	<20111219153257.GB4887@sergelap>
In-Reply-To: <20111219153257.GB4887@sergelap>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
	Ubuntu Kernel Team <kernel-team@lists.ubuntu.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Sender: kernel-team-bounces@lists.ubuntu.com
Errors-To: kernel-team-bounces@lists.ubuntu.com

On 12/19/2011 08:32 AM, Serge Hallyn wrote:
> Quoting Brad Figg (brad.figg@canonical.com):
>> On 12/01/2011 01:48 PM, Tim Gardner wrote:
>>> Please consider this (untested) patch for inclusion in Lucid. See the discussion in http://bugs.launchpad.net/bugs/790863 for arguments proposing to restore CONFIG_NET_NS.
>>>
>>> I'll post a test kernel to the bug in awhile.
>>>
>>> One of the issues I have with this patch is that it appears that any consumer of network name spaces will have to initially write a non-zero value to netns_max before _any_ name spaces can be successfully allocated. If copy_net_ns() fails in
>>> create_new_namespaces(), then it seems the whole allocation is buggered.
>>>
>>> rtg
>>>
>>>
>>
>> Tim,
>>
>> If you follow the thread that starts at:
>> http://www.spinics.net/lists/netdev/msg180263.html
>> you will see that Tetsuo actually proposed a modified
>> version of this patch: http://www.spinics.net/lists/netdev/msg180360.html.
>
> (Shouldn't used_netns_count default to 1?  :)
>
> It looks good, I'd only ask that a warning be printed, even if only
> printk_once(), when the limit is hit.  Otherwise we risk mysterious
> bugs reported against other software.
>
> Acked-by: Serge Hallyn<serge.hallyn@canonical.com>
>
> thanks,
> -serge

Serge - How about this? Changes include a non-zero initial value for 
max_netns_count, and a printk_once() warning if the count is ever exceeded.

rtg
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>

From 2510c5664eabb0a53cfccb571ed137e47d87f9df Mon Sep 17 00:00:00 2001
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Date: Thu, 1 Dec 2011 14:28:04 -0700
Subject: [PATCH 1/2] UBUNTU: SAUCE: netns: Add quota for number of NET_NS instances.

CONFIG_NET_NS support in 2.6.32 has a problem that leads to OOM killer when
clone(CLONE_NEWNET) is called instantly.
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/720095
But disabling CONFIG_NET_NS broke lxc containers.
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/790863

This patch introduces /proc/sys/net/core/netns_max interface that limits
max number of network namespace instances.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 include/net/sock.h         |    4 ++++
 net/core/net_namespace.c   |   13 +++++++++++++
 net/core/sysctl_net_core.c |   10 ++++++++++
 3 files changed, 27 insertions(+), 0 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h
index 4babe89..3cd628c 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1620,4 +1620,8 @@ extern int sysctl_optmem_max;
 extern __u32 sysctl_wmem_default;
 extern __u32 sysctl_rmem_default;
 
+#ifdef CONFIG_NET_NS
+extern int max_netns_count;
+#endif
+
 #endif	/* _SOCK_H */
diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
index 1c1af27..841df10 100644
--- a/net/core/net_namespace.c
+++ b/net/core/net_namespace.c
@@ -81,12 +81,22 @@ static struct net_generic *net_alloc_generic(void)
 #ifdef CONFIG_NET_NS
 static struct kmem_cache *net_cachep;
 static struct workqueue_struct *netns_wq;
+static atomic_t used_netns_count = ATOMIC_INIT(0);
+unsigned int max_netns_count = 1024;
 
 static struct net *net_alloc(void)
 {
 	struct net *net = NULL;
 	struct net_generic *ng;
 
+	atomic_inc(&used_netns_count);
+	if (atomic_read(&used_netns_count) >= max_netns_count) {
+		printk_once(KERN_WARNING
+			"net_alloc: Exceeded maximum (%d) net namespace allocations.\n",
+			max_netns_count);
+		goto out;
+	}
+
 	ng = net_alloc_generic();
 	if (!ng)
 		goto out;
@@ -96,7 +106,9 @@ static struct net *net_alloc(void)
 		goto out_free;
 
 	rcu_assign_pointer(net->gen, ng);
+	return net;
 out:
+	atomic_dec(&used_netns_count);
 	return net;
 
 out_free:
@@ -115,6 +127,7 @@ static void net_free(struct net *net)
 #endif
 	kfree(net->gen);
 	kmem_cache_free(net_cachep, net);
+	atomic_dec(&used_netns_count);
 }
 
 static struct net *net_create(void)
diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
index 7db1de0..81c79df 100644
--- a/net/core/sysctl_net_core.c
+++ b/net/core/sysctl_net_core.c
@@ -89,6 +89,16 @@ static struct ctl_table net_core_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dointvec
 	},
+#ifdef CONFIG_NET_NS
+	{
+		.ctl_name       = CTL_UNNUMBERED,
+		.procname       = "netns_max",
+		.data           = &max_netns_count,
+		.maxlen         = sizeof(int),
+		.mode           = 0644,
+		.proc_handler   = proc_dointvec,
+	},
+#endif
 #endif /* CONFIG_NET */
 	{
 		.ctl_name	= NET_CORE_BUDGET,
-- 
1.7.0.4