[Devel] [patch rh7 1/2] cgroup: mount -- Disable mounting from inside of VE context

Konstantin Khorenko khorenko at virtuozzo.com
Tue Jun 9 14:28:12 PDT 2015


On 06/09/2015 10:39 PM, Pavel Emelyanov wrote:
> On 06/09/2015 01:42 PM, Pavel Tikhomirov wrote:
>> Pasha, please consider
>>
>> We have ~4 ways:
>>
>> 1) Virtualize mounting cgroups in PCS7CT
>> +docker test will be happy and all docker-in-docker thing
>> -we don't want patch kernel for it and thus have a lot of non-mainline code
>>
>> 2) We can patch docker tests to make bindmounts from CT to DockerCT 
>> instead of mounting cgroups from inside.
>> +only OUR docker test will be happy
>> -we will have to maintain our patches for docker test
>>
>> 3) We can try to send those our patches for docker test into Docker
>> +docker tests OK, for other people it will be easier to use 
>> docker-in-docker with PCS7 too
>> -docker maintainers can say - "Why they need to change their working 
>> code?(Why we don't allow mount cgroups?)"
> 
> Try to go this route.

Pasha, in this case we won't be able to create privileged Docker CTs inside
Virtuozzo 7 Containers.
Do we need this functionality? Why?

>> 4) Make docker --priviledged(which is used for docker-in-docker) option 
>> bindmount cgroups inside docker CT
>> +docker tests OK, cgroups for docker-in-docker will work everywhere
>> -docker maintainers may find some examples where --priviledged dockerCT 
>> does not need bindmounted cgroups
>>
>> On 06/09/2015 12:30 PM, Cyrill Gorcunov wrote:
>>> On Tue, Jun 09, 2015 at 12:17:59PM +0300, Pavel Tikhomirov wrote:
>>>>
>>>>
>>>> On 06/09/2015 11:51 AM, Cyrill Gorcunov wrote:
>>>>> On Tue, Jun 09, 2015 at 11:48:18AM +0300, Pavel Tikhomirov wrote:
>>>>>> Docker tests create two level docker containers hierarchy, and they need to
>>>>>> mount cgroups on the first level to control containers of second level. Is
>>>>>> it safe to "re-revert" this patch to allow docker test(unit,integration-cli)
>>>>>> mount cgroups?
>>>>>
>>>>> Could you please provide more info? Which cgroups it mounts?
>>>>
>>>> It tries to mount all cgroups which it can see through /proc/1/cgroup
>>>>
>>>> https://github.com/docker/docker/blob/v1.6.2/hack/dind
>>>> https://github.com/docker/docker/blob/master/hack/dind
>>>
>>> Sigh :( So we have to allow its back then. But this won't make vdavydov@
>>> happy. Volodya, do you see some other way?
>>>
>>
> 
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
> 



More information about the Devel mailing list