[lxc-devel] [PATCH 3/4] cgroup: Add lxc_setup_mount_cgroup to setup /sys/fs/cgroup inside the container
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Sep 12 18:47:41 UTC 2013
Quoting Christian Seiler (christian at iwakd.de):
> Hi Serge,
>
> > Ah, no, mountall just gets upset about some forced readonly
> > mounts. lxc.mount.auto = proc always worked for me. If I do
> >
> > - r = mount("sysfs", path, "sysfs", MS_RDONLY, NULL);
> > + r = mount("sysfs", path, "sysfs", 0, NULL);
> > - mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
> > + //mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
> > then sys and cgroup auto-mount also work. The problem with both is that
> > mountall has entries in /lib/init/fstab saying they should be mounted
> > readwrite, so it hangs trying to force that to happen.
>
> Ah, ok... :/
>
> > How would you feel about adding a flag to specify whether they should be
> > readonly? How would we specify the flag? (Note it's ok for sys to be
> > read-write in ubuntu since apparmor confines it. cgroups by default are
> > too, but we don't have a good way yet to generate policy which will allow
> > /sys/fs/cgroup/$controller/$container-cgroup-path/ to be written to but the
> > /sys/fs/cgroup/$controller not)
>
> I could get behind the following:
>
> proc - always read-write (no harm AFAICT)
> sys - default: read-only
> sys:rw - read-write
> sys:ro - explicit read-only
> cgroup:ro - completely ro (including paths)
> cgroup:rw - completely rw (including paths)
That sounds good.
> cgroup:mixed - paths ro, other rw
what is 'paths' vs. 'other' here? There's
/sys/fs/cgroup
itself,
/sys/fs/cgroup/$subsys
then the paths up to the container's own path, and then
there's the stuff under the container's own path. I'm not
clear on which you're calling what.
> cgroup - defaults to cgroup:mixed
>
> Also, I could imagine adding
>
> cgroup-full:ro - mount complete tree read-only (not just partial)
> cgroup-full:rw - mount complete tree read-write (not just partial)
> cgroup-full:mixed - mount complete tree read-only but bind-mount
> partial tree read-write
> cgroup-full - defaults to cgroup-full: mixed
Hm, but you're doing the full tree by default. What is the difference
between this and cgroup:ro?
thanks,
-serge
More information about the lxc-devel
mailing list