[Devel] [patch rh7 1/2] cgroup: mount -- Disable mounting from inside of VE context
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Jun 17 01:34:32 PDT 2015
On 06/10/2015 12:28 AM, Konstantin Khorenko wrote:
> On 06/09/2015 10:39 PM, Pavel Emelyanov wrote:
>> On 06/09/2015 01:42 PM, Pavel Tikhomirov wrote:
>>> Pasha, please consider
>>>
>>> We have ~4 ways:
>>>
>>> 1) Virtualize mounting cgroups in PCS7CT
>>> +docker test will be happy and all docker-in-docker thing
>>> -we don't want patch kernel for it and thus have a lot of non-mainline code
>>>
>>> 2) We can patch docker tests to make bindmounts from CT to DockerCT
>>> instead of mounting cgroups from inside.
>>> +only OUR docker test will be happy
>>> -we will have to maintain our patches for docker test
>>>
>>> 3) We can try to send those our patches for docker test into Docker
>>> +docker tests OK, for other people it will be easier to use
>>> docker-in-docker with PCS7 too
>>> -docker maintainers can say - "Why they need to change their working
>>> code?(Why we don't allow mount cgroups?)"
>>
>> Try to go this route.
>
> Pasha, in this case we won't be able to create privileged Docker CTs inside
> Virtuozzo 7 Containers.
> Do we need this functionality? Why?
Ok, this is a followup on this:
a) currently we don't know real usecase when privileged Docker CT is required inside a VZ CT
(except for Docker tests). So in case someone knows such a usecase - please share.
b) Because of a) we are fine for now to allow only unprivileged Docker CTs inside VZ CT.
=> we can go both ways 3) and 4) and we'll try both ways a bit later.
>>> 4) Make docker --priviledged(which is used for docker-in-docker) option
>>> bindmount cgroups inside docker CT
>>> +docker tests OK, cgroups for docker-in-docker will work everywhere
>>> -docker maintainers may find some examples where --priviledged dockerCT
>>> does not need bindmounted cgroups
>>>
>>> On 06/09/2015 12:30 PM, Cyrill Gorcunov wrote:
>>>> On Tue, Jun 09, 2015 at 12:17:59PM +0300, Pavel Tikhomirov wrote:
>>>>>
>>>>>
>>>>> On 06/09/2015 11:51 AM, Cyrill Gorcunov wrote:
>>>>>> On Tue, Jun 09, 2015 at 11:48:18AM +0300, Pavel Tikhomirov wrote:
>>>>>>> Docker tests create two level docker containers hierarchy, and they need to
>>>>>>> mount cgroups on the first level to control containers of second level. Is
>>>>>>> it safe to "re-revert" this patch to allow docker test(unit,integration-cli)
>>>>>>> mount cgroups?
>>>>>>
>>>>>> Could you please provide more info? Which cgroups it mounts?
>>>>>
>>>>> It tries to mount all cgroups which it can see through /proc/1/cgroup
>>>>>
>>>>> https://github.com/docker/docker/blob/v1.6.2/hack/dind
>>>>> https://github.com/docker/docker/blob/master/hack/dind
>>>>
>>>> Sigh :( So we have to allow its back then. But this won't make vdavydov@
>>>> happy. Volodya, do you see some other way?
>>>>
>>>
>>
>> _______________________________________________
>> Devel mailing list
>> Devel at openvz.org
>> https://lists.openvz.org/mailman/listinfo/devel
>>
> _______________________________________________
> Devel mailing list
> Devel at openvz.org
> https://lists.openvz.org/mailman/listinfo/devel
>
More information about the Devel
mailing list