[Devel] [RFC rhel7] Disabling mounting cgroups from inside of container

Konstantin Khorenko khorenko at virtuozzo.com
Mon Jan 18 02:33:39 PST 2016


JFYI: i'm not going to drop rh7-revert-ve-mark because otherwise cgroups mounted in 1 CT will be visible from other Containers as well.
(those cgroups which are mounted during CT start or restore).

At the moment we don't know apps which require mounting cgroups inside Containers (all known are able to work using bindmounts of existing cgroups) =>
prohibiting of cgroups mount inside a CT should not be a problem.

Once we find such an app, we'll think about cgroups virtualization in the scope of 3.10-x kernel.

--
Best regards,

Konstantin Khorenko,
Virtuozzo Linux Kernel Team

On 01/16/2016 11:13 PM, Cyrill Gorcunov wrote:
> Guys, we've found a problem in cgorups management code: currently we
> allow to mount cgroups from inside of veX context which have a few
> problems:
>
>   - performance issue (as Vladimir always pointed)
>   - security issue (as been fixed by Stas in commit
>     1867565c8c6df8c2a18e391d9e6d721cf29e251e)
>
> I propose to being pseudosuper state which we gonna use
> on restore procedure and disable mounting cgroups from
> inside of veX context.
>
> All cgroups needed should be prepared upon containers
> starup procedure and nothing else allowed.
>
> Please see changelogs for the patches attached.
>
> 	Cyrill
>


More information about the Devel mailing list