[Devel] [PATCH rh7] cgroups: Drop virtualization code, v4
Cyrill Gorcunov
gorcunov at odin.com
Thu May 7 02:40:41 PDT 2015
On Thu, May 07, 2015 at 12:12:37PM +0300, Cyrill Gorcunov wrote:
> > >
> > > At moment we don't, but looks like we need to add some check if
> > > cgroup been modified is not a top one when write happens from
> > > inside of container maybe?
> >
> > I guess so.
> >
> > Besides, I think we should not bind mount all cgroups inside any
> > container, because allowing a container to create an arbitrary number of
> > cgroups can affect the overall performance badly. IMO this should be
> > configured in the config file of a container.
>
> I see, thanks. Letme think of it.
We're creating cgroups for container on ve0 but bindmount them
from inside of container, thus on userspace level (via config file)
we can setup which cgroups are allowed for use. Still we're not
limiting anyhow creating new sub-cgroups (via mkdir) inside
container, and this one should be performance penalty mainly
(new cgroup allocation is done via direct kzalloc without
any memory limits as far as I understart). Thus why we can
limit cgroups set itself I don't see easy way to limit nested
cgroups/dirs without additional kernel modification. Ideas?
More information about the Devel
mailing list