[Devel] [PATCH rh7] cgroups: Drop virtualization code, v4
Cyrill Gorcunov
gorcunov at odin.com
Thu May 7 03:54:52 PDT 2015
On Thu, May 07, 2015 at 01:45:35PM +0300, Vladimir Davydov wrote:
> >
> > So maybe we should limit the number of nested cgroups in container?
> > There is root->number_of_cgroups maybe we should setup some limit
> > on ve config.
>
> The more parameters we have the worse. What should be a default value
> for this? 10, 50, 100? And why? Can we guarantee that the user of a
> container won't be able to exploit the system with this particular
> number of cgroups? Can we be sure that this particular number of cgroups
> will be enough? I don't think so.
>
> If something goes wrong, one can disable cgroups in a container
> altogether, otherwise he has to take the risk.
We can't be sure in anything until this goes to testing and
we see if there some problems. Still we may provide a tool
for container admin on the node which would be able to limit
the numbers of cgroups if needed, otherwise it will end up
in "all or nothing" strategy.
More information about the Devel
mailing list