Rechercher une page de manuel
kerrighed_capabilities
Langue: en
Version: 08/23/2007 (mandriva - 22/10/07)
Section: 7 (Divers)
Sommaire
NAME
kerrighed_capabilities - overview of Kerrighed capabilitiesDESCRIPTION
Kerrighed provides a (as yet incomplete) system of capabilities, which allows administrator and users to define the way their processes behave in term of SSI mechanisms. Kerrighed cluster wide mechanisms are divided into distinct units that can be independently enabled and disabled.
Capabilities List
The following capabilities are implemented:
CAP_CHANGE_KERRIGHED_CAP
- Allow changing capabilities.
CAP_CAN_MIGRATE
- Allow process to migrate.
CAP_DISTANT_FORK
- This capability is used by the fork system call to decide if it should try to fork the new program on a distant node. Success of this operation is not guarantied.
CAP_SEE_LOCAL_PROC_STAT
- Allow seeing /proc files of the local node instead of the globalized /proc of the cluster.
Process Capabilities
Each process has four capability sets containing zero or more of the above capabilities:
Effective:
- the capabilities used by the kernel to perform permission checks for the process.
Permitted:
- the capabilities that the process may assume (i.e., a limiting superset for the the effective, inheritable and inheritable effective sets). If a process drops a capability from its permitted set, it can never re-acquire that capability (unless it execs a set-UID-root program).
Inheritable Permited:
- the capabilities preserved across an execve(2).
Inheritable Effective:
- the capabilities preserved across an execve(2).
Capabilities Transmission
During a fork, the kernel calculates the new capabilities of the process using the following algorithm:
-
P'(permitted) = (P(inheritable permitted) & F(allowed)) | F(forced)P'(effective) = P(inheritable effective) & F(effective) & P'(permitted)P'(inheritable permitted) = P(inherited permitted) [i.e., unchanged]P'(inheritable effective) = P(inheritable effective) [i.e., unchanged]
where:
P
- denotes the value of a process capability set before the exec
P'
- denotes the value of a capability set after the exec
F
- denotes a file capability set
FILES
/etc/kerrighed_nodes
- This file contains the list of nodes used in the Kerrighed cluster. See kerrighed_nodes(5) for further details.
AUTHOR
Renaud Lottiaux <renaud.lottiaux@kerlabs.com>
SEE ALSO
krg_capset(1)
Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre