[Devel] Re: containers and cgroups mini-summit @ Linux Plumbers

Eric W. Biederman ebiederm at xmission.com
Thu Jul 26 12:38:16 PDT 2012


Serge Hallyn <serge.hallyn at canonical.com> writes:
> (Sorry, please disregard my last email :)
>
> Yes, what we do now in ubuntu quantal is the bind mounts you mention,
> and only optionally (using a startup hook).
> Each container is brought up in say
> /sys/fs/cgroup/devices/lxc/container1/container1.real, and that dir is
> bind-mounted under /sys/fs/cgroup/devices in the guest.  The guest
> is not allowed to mount cgroup fs himself.
>
> It's certainly not ideal (and in cases where cgroup allows you to
> raise your own limits, worthless).  The 'fake cgroup root' has been
> mentioned before to address this.  Definately worth discussing.

It is going to be interesting to see how all of the unprivileged
operations work when the user-namespaces start allowing unprivileged
users to do things (3.7 timeframe I hope).

I can see it making things both easier and harder.  I would hope not
actually being root will make it easier to keep from raising your own
limits.

Running some operations as non-root will catch other places off guard
where people were definitely expecting nothing of the kind.

There are a couple of networking memory limits exposed through sysctl
that I don't expect we want everyone changing, that I need to figure out
how to separate out from the rest.  A concept that hasn't existed
before.

Eric




More information about the Devel mailing list