Minor Description
If a task uses network ports, there is no isolator that can enforce that it only listens on the ports that it has resources for. Implement a ports isolator that can limit tasks to listen only on allocated TCP ports.
Roughly, the algorithm for this follows what standard tools like lsof and ss do.
- Find all the listening TCP sockets (using netlink)
- Index the sockets by their node (from the netlink information)
- Find all the open sockets on the system (by scanning /proc/*/fd/* links)
- For each open socket, check whether its node (given in the link target) in the set of listen sockets that we scanned
- If the socket is a listening socket and the corresponding PID is in the task, send a resource limitation for the task
Matching pids to tasks depends on using cgroup isolation, otherwise we would have to build a full process tree, which would be nice to avoid.
Scanning all the open sockets can be avoided by using the net_cls isolator with kernel + libnl3 patches to publish the socket classid when we find the listening socket.
Design Doc: https://docs.google.com/document/d/1BGmANq8IW-H4-YVUlpdf6qZFTZnDe-OKAY_e7uNp7LA
Kernel Patch: http://marc.info/?l=linux-kernel&m=150293015025396&w=2