[Devel] [RFC rhel7] Disabling mounting cgroups from inside of container
Konstantin Khorenko
khorenko at virtuozzo.com
Mon Jan 18 02:29:26 PST 2016
Igor,
please review and apply 0001-env_nsops-Use-pseudosuper-feature-on-the-restore-pro.patch for linvzctl,
i'm applying kernel part as well.
Thank you.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 01/16/2016 11:13 PM, Cyrill Gorcunov wrote:
> Guys, we've found a problem in cgorups management code: currently we
> allow to mount cgroups from inside of veX context which have a few
> problems:
>
> - performance issue (as Vladimir always pointed)
> - security issue (as been fixed by Stas in commit
> 1867565c8c6df8c2a18e391d9e6d721cf29e251e)
>
> I propose to being pseudosuper state which we gonna use
> on restore procedure and disable mounting cgroups from
> inside of veX context.
>
> All cgroups needed should be prepared upon containers
> starup procedure and nothing else allowed.
>
> Please see changelogs for the patches attached.
>
> Cyrill
>
More information about the Devel
mailing list