[Devel] [patch rh7 1/2] cgroup: mount -- Disable mounting from inside of VE context
Pavel Tikhomirov
ptikhomirov at odin.com
Tue Jun 9 02:17:59 PDT 2015
On 06/09/2015 11:51 AM, Cyrill Gorcunov wrote:
> On Tue, Jun 09, 2015 at 11:48:18AM +0300, Pavel Tikhomirov wrote:
>> Docker tests create two level docker containers hierarchy, and they need to
>> mount cgroups on the first level to control containers of second level. Is
>> it safe to "re-revert" this patch to allow docker test(unit,integration-cli)
>> mount cgroups?
>
> Could you please provide more info? Which cgroups it mounts?
It tries to mount all cgroups which it can see through /proc/1/cgroup
https://github.com/docker/docker/blob/v1.6.2/hack/dind
https://github.com/docker/docker/blob/master/hack/dind
> Technically sure it's safe to allow mounting known cgroups
> but we disabled this feature not for security reason but
> rather because it hits preformance on the node in first place.
>
--
Best regards, Tikhomirov Pavel
Junior Software Developer, Odin.
More information about the Devel
mailing list