Brian Bockelman wrote:
However, it's a long road to getting rid of the procd. Right now, this is all another tool in the procd's arsenal. I'd want to see these techniques "work well" in the wild, before we think about disabling parts of the procd, then slowly disabling functionality if the cgroups take care of it. For example, it shouldn't be necessary to scan all the PIDs anymore as the kernel keeps the hierarchies. There's so much procd code that I don't see a clear way to do a "big bang" replacement (not to mention that "legacy" linuxes, such as basically all the deployed Condor installs, will take a long time to phase out).
Agreed. Like cgroups, having the procd leverage PID namespaces (which seem really really nice btw!!!!) to do what it does more efficiently, securely, or completely on newer kernels is the route to go.
p.s. Brian, re the cgroups patch, it hasn't been forgotten - I talked w/ Pete yesterday about it. Pete was on vacation and preempted a bit, but he will have some minor code review changes soon and then it will go into the master branch for Condor v7.7.[0 | 1].
best regards Todd -- Todd Tannenbaum University of Wisconsin-Madison Center for High Throughput Computing Department of Computer Sciences tannenba@xxxxxxxxxxx 1210 W. Dayton St. Rm #4257 Phone: (608) 263-7132 Madison, WI 53706-1685