[Devel] [RFC rhel7] Disabling mounting cgroups from inside of container
Cyrill Gorcunov
gorcunov at virtuozzo.com
Sat Jan 16 12:51:52 PST 2016
On Sat, Jan 16, 2016 at 09:32:39PM +0100, Stanislav Kinsburskiу wrote:
> Hi,
>
> What it's the reason behind this proposal?
1) Fix the restore problem introduced with your commit
2) Performance or uncontrollable mount of cgroups from
inside of container is _really_ a huge problem affecting
the node. Until there is a strong reason to allow mounting
we should disable it.
> The only thing you mentioned and which used not fixed is perfomance issues.
> If so, then it's not a sufficient reason from my POW, because we are loosing generic functionality.
> I suspect, that the are programs, which use cgroups for their internal needs.
> What will we do with them, if cgroup mounts are forbidden?
I don't know ones which require own mounting. iirc docker was able to
work if cgroups mounting is disabled and all cgroups are already
preconfigured (but this should be double checked). Note that we're
talking about _mounting_, because you still can create new cgroups
nested.
More information about the Devel
mailing list