[Devel] Re: cgroup attach/fork hooks consistency with the ns_cgroup

Li Zefan lizf at cn.fujitsu.com
Wed Jun 17 18:21:24 PDT 2009


> The ns cgroup is really only good for preventing root in a container
> from escaping its cgroup-imposed limits.  The same can be done today
> using smack or selinux, and eventually will be possible using user
> namespaces.  Would anyone object to removing ns_cgroup?
> 

I vote for removing it. :)

> It won't just remove kernel/ns_cgroup.c, but some subtle code in
> fork.c, nsproxy.c, and of course cgroup.c as well.
> 

Yeah, regarding to cgroup, cgroup_clone() and cgroup_is_descendant()
can be removed. cgroup_clone() is somewhat ugly I think.

> There admittedly is minute convenience gain in not having to
> manually create a new cgroup and attach a cloned child to it, but
> that wasn't the intent of the cgroup.
> 
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list