[lxc-devel] [PATCH 3/4] cgroup: Add lxc_setup_mount_cgroup to setup /sys/fs/cgroup inside the container

Christian Seiler christian at iwakd.de
Thu Sep 12 18:21:34 UTC 2013


Hi Serge,

> Ah, no, mountall just gets upset about some forced readonly
> mounts.  lxc.mount.auto = proc always worked for me.  If I do
> 
> -               r = mount("sysfs", path, "sysfs", MS_RDONLY, NULL);
> +               r = mount("sysfs", path, "sysfs", 0, NULL);
> -       mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
> +       //mount(NULL, path, NULL, MS_REMOUNT|MS_RDONLY, NULL);
> then sys and cgroup auto-mount also work.  The problem with both is that
> mountall has entries in /lib/init/fstab saying they should be mounted
> readwrite, so it hangs trying to force that to happen.

Ah, ok... :/

> How would you feel about adding a flag to specify whether they should be
> readonly?  How would we specify the flag?  (Note it's ok for sys to be
> read-write in ubuntu since apparmor confines it.  cgroups by default are
> too, but we don't have a good way yet to generate policy which will allow
> /sys/fs/cgroup/$controller/$container-cgroup-path/ to be written to but the
> /sys/fs/cgroup/$controller not)

I could get behind the following:

   proc            - always read-write (no harm AFAICT)
   sys             - default: read-only
   sys:rw          - read-write
   sys:ro          - explicit read-only
   cgroup:ro       - completely ro (including paths)
   cgroup:rw       - completely rw (including paths)
   cgroup:mixed    - paths ro, other rw
   cgroup          - defaults to cgroup:mixed

Also, I could imagine adding

   cgroup-full:ro    - mount complete tree read-only (not just partial)
   cgroup-full:rw    - mount complete tree read-write (not just partial)
   cgroup-full:mixed - mount complete tree read-only but bind-mount
                       partial tree read-write
   cgroup-full       - defaults to cgroup-full: mixed

Thoughts?

-- Christian




More information about the lxc-devel mailing list