[Devel] [RFC rhel7] Disabling mounting cgroups from inside of container

Cyrill Gorcunov gorcunov at virtuozzo.com
Sat Jan 16 12:51:52 PST 2016


On Sat, Jan 16, 2016 at 09:32:39PM +0100, Stanislav Kinsburskiу wrote:
> Hi,
> 
> What it's the reason behind this proposal?

1) Fix the restore problem introduced with your commit
2) Performance or uncontrollable mount of cgroups from
   inside of container is _really_ a huge problem affecting
   the node. Until there is a strong reason to allow mounting
   we should disable it.

> The only thing you mentioned and which used not fixed is perfomance issues.
> If so, then it's not a sufficient reason from my POW, because we are loosing generic functionality.
> I suspect, that the are programs, which use cgroups for their internal needs.
> What will we do with them, if cgroup mounts are forbidden?

I don't know ones which require own mounting. iirc docker was able to
work if cgroups mounting is disabled and all cgroups are already
preconfigured (but this should be double checked). Note that we're
talking about _mounting_, because you still can create new cgroups
nested.


More information about the Devel mailing list