[Devel] [patch rh7 1/2] cgroup: mount -- Disable mounting from inside of VE context
Konstantin Khorenko
khorenko at virtuozzo.com
Wed Jun 17 02:06:11 PDT 2015
On 06/17/2015 11:44 AM, Cyrill Gorcunov wrote:
> On Wed, Jun 17, 2015 at 11:34:32AM +0300, Konstantin Khorenko wrote:
>>
>> Ok, this is a followup on this:
>>
>> a) currently we don't know real usecase when privileged Docker CT is required inside a VZ CT
>> (except for Docker tests). So in case someone knows such a usecase - please share.
>>
>> b) Because of a) we are fine for now to allow only unprivileged Docker CTs inside VZ CT.
>>
>> => we can go both ways 3) and 4) and we'll try both ways a bit later.
>
> So the idea behind is to continue blocking mounting of cgroups inside ve?
In longterm - yes.
The CRIU issue is to handled either via "restoring" state or
(which i like much more) to create venet directly via netlink.
More information about the Devel
mailing list