[lxc-devel] [PATCH 3/4] cgroup: Add lxc_setup_mount_cgroup to setup /sys/fs/cgroup inside the container
Christian Seiler
christian at iwakd.de
Thu Sep 12 18:21:34 UTC 2013
Hi Serge,
> Ah, no, mountall just gets upset about some forced readonly
> mounts. lxc.mount.auto = proc always worked for me. If I do
>
> - r = mount("sysfs", path, "sysfs", MS_RDONLY, NULL);
> + r = mount("sysfs", path, "sysfs", 0, NULL);
> - mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
> + //mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
> then sys and cgroup auto-mount also work. The problem with both is that
> mountall has entries in /lib/init/fstab saying they should be mounted
> readwrite, so it hangs trying to force that to happen.
Ah, ok... :/
> How would you feel about adding a flag to specify whether they should be
> readonly? How would we specify the flag? (Note it's ok for sys to be
> read-write in ubuntu since apparmor confines it. cgroups by default are
> too, but we don't have a good way yet to generate policy which will allow
> /sys/fs/cgroup/$controller/$container-cgroup-path/ to be written to but the
> /sys/fs/cgroup/$controller not)
I could get behind the following:
proc - always read-write (no harm AFAICT)
sys - default: read-only
sys:rw - read-write
sys:ro - explicit read-only
cgroup:ro - completely ro (including paths)
cgroup:rw - completely rw (including paths)
cgroup:mixed - paths ro, other rw
cgroup - defaults to cgroup:mixed
Also, I could imagine adding
cgroup-full:ro - mount complete tree read-only (not just partial)
cgroup-full:rw - mount complete tree read-write (not just partial)
cgroup-full:mixed - mount complete tree read-only but bind-mount
partial tree read-write
cgroup-full - defaults to cgroup-full: mixed
Thoughts?
-- Christian
More information about the lxc-devel
mailing list