[Devel] [RFC rhel7] Disabling mounting cgroups from inside of container
Stanislav Kinsburskiу
skinsbursky at odin.com
Sat Jan 16 12:32:39 PST 2016
Hi,
What it's the reason behind this proposal?
The only thing you mentioned and which used not fixed is perfomance issues.
If so, then it's not a sufficient reason from my POW, because we are loosing generic functionality.
I suspect, that the are programs, which use cgroups for their internal needs.
What will we do with them, if cgroup mounts are forbidden?
16 янв. 2016 г. 9:13 PM пользователь Cyrill Gorcunov <gorcunov at virtuozzo.com> написал:
>
> Guys, we've found a problem in cgorups management code: currently we
> allow to mount cgroups from inside of veX context which have a few
> problems:
>
> - performance issue (as Vladimir always pointed)
> - security issue (as been fixed by Stas in commit
> 1867565c8c6df8c2a18e391d9e6d721cf29e251e)
>
> I propose to being pseudosuper state which we gonna use
> on restore procedure and disable mounting cgroups from
> inside of veX context.
>
> All cgroups needed should be prepared upon containers
> starup procedure and nothing else allowed.
>
> Please see changelogs for the patches attached.
>
> Cyrill
More information about the Devel
mailing list