[Devel] [PATCH rh7] cgroups: Drop virtualization code, v4

Vladimir Davydov vdavydov at parallels.com
Thu May 7 01:32:26 PDT 2015


On Thu, May 07, 2015 at 10:51:16AM +0300, Cyrill Gorcunov wrote:
> Index: linux-pcs7.git/kernel/cgroup.c
> ===================================================================
> --- linux-pcs7.git.orig/kernel/cgroup.c
> +++ linux-pcs7.git/kernel/cgroup.c
[...]
> @@ -1668,6 +1617,17 @@ static struct dentry *cgroup_mount(struc
>  
>  		BUG_ON(sb->s_root != NULL);
>  
> +#ifdef CONFIG_VE
> +		/*
> +		 * Don't allow to create new hierarchies in container,
> +		 * we don't support them.
> +		 */
> +		if (!ve_is_super(get_exec_env())) {
> +			ret = -EACCES;
> +			goto drop_new_super;
> +		}
> +#endif
> +

So we are not allowed to create new cgroup hierarchies from a container,
but we still can mount existing ones? If so, I think we should forbid
this either.

Another question that keeps bothering me is about permissions check. The
admin of a container should be allowed to create and tune memory cgroups
under its bind mounted cgroup root, but he must not be able to modify
parameters of the bind mounted root itself, because that would affect
the container's configuration. How are we going to prevent this?



More information about the Devel mailing list