[Devel] [RFC rhel7] Disabling mounting cgroups from inside of container

[Stanislav Kinsburskiу]

16 янв. 2016 г. 9:51 PM пользователь Cyrill Gorcunov <gorcunov at virtuozzo.com> написал:
>
> On Sat, Jan 16, 2016 at 09:32:39PM +0100, Stanislav Kinsburskiу wrote: 
> > Hi, 
> > 
> > What it's the reason behind this proposal? 
>
> 1) Fix the restore problem introduced with your commit 

Could you elaborate a bit on the problem?

> 2) Performance or uncontrollable mount of cgroups from 
>    inside of container is _really_ a huge problem affecting 
>    the node. Until there is a strong reason to allow mounting 
>    we should disable it. 
>

It sounds like forbidding of cgroups is a way to protectagains "cgroups bomb". Is it?

> > The only thing you mentioned and which used not fixed is perfomance issues. 
> > If so, then it's not a sufficient reason from my POW, because we are loosing generic functionality. 
> > I suspect, that the are programs, which use cgroups for their internal needs. 
> > What will we do with them, if cgroup mounts are forbidden? 
>
> I don't know ones which require own mounting. iirc docker was able to 
> work if cgroups mounting is disabled and all cgroups are already 
> preconfigured (but this should be double checked). Note that we're 
> talking about _mounting_, because you still can create new cgroups 
> nested. 

Yeah, probably not so many programs does so.
But forbidding such functionality in a container looks very aggressive for me.