[Devel] Re: cgroup attach/fork hooks consistency with the ns_cgroup
Li Zefan
lizf at cn.fujitsu.com
Wed Jun 17 18:21:24 PDT 2009
> The ns cgroup is really only good for preventing root in a container
> from escaping its cgroup-imposed limits. The same can be done today
> using smack or selinux, and eventually will be possible using user
> namespaces. Would anyone object to removing ns_cgroup?
>
I vote for removing it. :)
> It won't just remove kernel/ns_cgroup.c, but some subtle code in
> fork.c, nsproxy.c, and of course cgroup.c as well.
>
Yeah, regarding to cgroup, cgroup_clone() and cgroup_is_descendant()
can be removed. cgroup_clone() is somewhat ugly I think.
> There admittedly is minute convenience gain in not having to
> manually create a new cgroup and attach a cloned child to it, but
> that wasn't the intent of the cgroup.
>
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list