[Devel] [patch rh7 1/2] cgroup: mount -- Disable mounting from inside of VE context
Pavel Emelyanov
xemul at parallels.com
Tue Jun 9 12:39:13 PDT 2015
On 06/09/2015 01:42 PM, Pavel Tikhomirov wrote:
> Pasha, please consider
>
> We have ~4 ways:
>
> 1) Virtualize mounting cgroups in PCS7CT
> +docker test will be happy and all docker-in-docker thing
> -we don't want patch kernel for it and thus have a lot of non-mainline code
>
> 2) We can patch docker tests to make bindmounts from CT to DockerCT
> instead of mounting cgroups from inside.
> +only OUR docker test will be happy
> -we will have to maintain our patches for docker test
>
> 3) We can try to send those our patches for docker test into Docker
> +docker tests OK, for other people it will be easier to use
> docker-in-docker with PCS7 too
> -docker maintainers can say - "Why they need to change their working
> code?(Why we don't allow mount cgroups?)"
Try to go this route.
> 4) Make docker --priviledged(which is used for docker-in-docker) option
> bindmount cgroups inside docker CT
> +docker tests OK, cgroups for docker-in-docker will work everywhere
> -docker maintainers may find some examples where --priviledged dockerCT
> does not need bindmounted cgroups
>
> On 06/09/2015 12:30 PM, Cyrill Gorcunov wrote:
>> On Tue, Jun 09, 2015 at 12:17:59PM +0300, Pavel Tikhomirov wrote:
>>>
>>>
>>> On 06/09/2015 11:51 AM, Cyrill Gorcunov wrote:
>>>> On Tue, Jun 09, 2015 at 11:48:18AM +0300, Pavel Tikhomirov wrote:
>>>>> Docker tests create two level docker containers hierarchy, and they need to
>>>>> mount cgroups on the first level to control containers of second level. Is
>>>>> it safe to "re-revert" this patch to allow docker test(unit,integration-cli)
>>>>> mount cgroups?
>>>>
>>>> Could you please provide more info? Which cgroups it mounts?
>>>
>>> It tries to mount all cgroups which it can see through /proc/1/cgroup
>>>
>>> https://github.com/docker/docker/blob/v1.6.2/hack/dind
>>> https://github.com/docker/docker/blob/master/hack/dind
>>
>> Sigh :( So we have to allow its back then. But this won't make vdavydov@
>> happy. Volodya, do you see some other way?
>>
>
More information about the Devel
mailing list