kerrighed_capabilities

Langue: en

Version: 08/23/2007 (mandriva - 22/10/07)

Section: 7 (Divers)

Sommaire

NAME

kerrighed_capabilities - overview of Kerrighed capabilities

DESCRIPTION

Kerrighed provides a (as yet incomplete) system of capabilities, which allows administrator and users to define the way their processes behave in term of SSI mechanisms. Kerrighed cluster wide mechanisms are divided into distinct units that can be independently enabled and disabled.

Capabilities List

The following capabilities are implemented:

CAP_CHANGE_KERRIGHED_CAP

Allow changing capabilities.

CAP_CAN_MIGRATE

Allow process to migrate.

CAP_DISTANT_FORK

This capability is used by the fork system call to decide if it should try to fork the new program on a distant node. Success of this operation is not guarantied.

CAP_SEE_LOCAL_PROC_STAT

Allow seeing /proc files of the local node instead of the globalized /proc of the cluster.

Process Capabilities

Each process has four capability sets containing zero or more of the above capabilities:

Effective:

the capabilities used by the kernel to perform permission checks for the process.

Permitted:

the capabilities that the process may assume (i.e., a limiting superset for the the effective, inheritable and inheritable effective sets). If a process drops a capability from its permitted set, it can never re-acquire that capability (unless it execs a set-UID-root program).

Inheritable Permited:

the capabilities preserved across an execve(2).

Inheritable Effective:

the capabilities preserved across an execve(2).

Capabilities Transmission

During a fork, the kernel calculates the new capabilities of the process using the following algorithm:

           P'(permitted) = (P(inheritable permitted) & F(allowed)) | F(forced)P'(effective) = P(inheritable effective) & F(effective) & P'(permitted)P'(inheritable permitted) = P(inherited permitted)     [i.e., unchanged]P'(inheritable effective) = P(inheritable effective)   [i.e., unchanged]

where:

P

denotes the value of a process capability set before the exec

P'

denotes the value of a capability set after the exec

F

denotes a file capability set

FILES

/etc/kerrighed_nodes

This file contains the list of nodes used in the Kerrighed cluster. See kerrighed_nodes(5) for further details.

AUTHOR

Renaud Lottiaux <renaud.lottiaux@kerlabs.com>

SEE ALSO

krg_capset(1)