[Devel] [patch rh7 1/2] cgroup: mount -- Disable mounting from inside of VE context

[Pavel Tikhomirov]

Pasha, please consider

We have ~4 ways:

1) Virtualize mounting cgroups in PCS7CT
+docker test will be happy and all docker-in-docker thing
-we don't want patch kernel for it and thus have a lot of non-mainline code

2) We can patch docker tests to make bindmounts from CT to DockerCT 
instead of mounting cgroups from inside.
+only OUR docker test will be happy
-we will have to maintain our patches for docker test

3) We can try to send those our patches for docker test into Docker
+docker tests OK, for other people it will be easier to use 
docker-in-docker with PCS7 too
-docker maintainers can say - "Why they need to change their working 
code?(Why we don't allow mount cgroups?)"

4) Make docker --priviledged(which is used for docker-in-docker) option 
bindmount cgroups inside docker CT
+docker tests OK, cgroups for docker-in-docker will work everywhere
-docker maintainers may find some examples where --priviledged dockerCT 
does not need bindmounted cgroups

On 06/09/2015 12:30 PM, Cyrill Gorcunov wrote:
> On Tue, Jun 09, 2015 at 12:17:59PM +0300, Pavel Tikhomirov wrote:
>>
>>
>> On 06/09/2015 11:51 AM, Cyrill Gorcunov wrote:
>>> On Tue, Jun 09, 2015 at 11:48:18AM +0300, Pavel Tikhomirov wrote:
>>>> Docker tests create two level docker containers hierarchy, and they need to
>>>> mount cgroups on the first level to control containers of second level. Is
>>>> it safe to "re-revert" this patch to allow docker test(unit,integration-cli)
>>>> mount cgroups?
>>>
>>> Could you please provide more info? Which cgroups it mounts?
>>
>> It tries to mount all cgroups which it can see through /proc/1/cgroup
>>
>> https://github.com/docker/docker/blob/v1.6.2/hack/dind
>> https://github.com/docker/docker/blob/master/hack/dind
>
> Sigh :( So we have to allow its back then. But this won't make vdavydov@
> happy. Volodya, do you see some other way?
>

-- 
Best regards, Tikhomirov Pavel
Junior Software Developer, Odin.