[Devel] [RFC rhel7] Disabling mounting cgroups from inside of container
Vladimir Davydov
vdavydov at virtuozzo.com
Mon Jan 18 03:08:09 PST 2016
On Sat, Jan 16, 2016 at 11:13:15PM +0300, Cyrill Gorcunov wrote:
> From: Cyrill Gorcunov <gorcunov at virtuozzo.com>
> Subject: [RFC rh7] ve/cgroup: Add pseudosuper state for restore sake
>
> Currently we allow to mount cgroups from inside of VEs context for
> restore sake. But this will be a problem in future: every new mount
> from inside of VE is actually degradates kernel performance.
>
> For this we introduce that named "pseudosuper" state of a container.
> This cgroup member can be only set up from ve0 context but dropped
> off from any context (including veX). Which allows us to restore
> container and bring inability to mount cgroups once restore is done.
>
> In fact there are three players: the kernel itself which check for
> pseudosuper status, the libvzctl which setup this status when
> start and restore container, and criu which drops this status once
> it complete restoring cgroups (calling libvzctl script upon namespace
> creation).
>
> https://jira.sw.ru/browse/PSBM-34299
> https://jira.sw.ru/browse/PSBM-43169
> https://jira.sw.ru/browse/PSBM-42573
>
> Signed-off-by: Cyrill Gorcunov <gorcunov at virtuozzo.com>
> CC: Vladimir Davydov <vdavydov at virtuozzo.com>
> CC: Konstantin Khorenko <khorenko at virtuozzo.com>
> CC: Andrey Vagin <avagin at virtuozzo.com>
> CC: Igor Sukhih <igor at parallels.com>
> CC: Pavel Emelyanov <xemul at virtuozzo.com>
Reviewed-by: Vladimir Davydov <vdavydov at virtuozzo.com>
More information about the Devel
mailing list