[lxc-devel] [PATCH] cgfs: don't mount /sys/fs/cgroup readonly

[Christian Seiler]

Hi again,

>> On an ubuntu system, mountall wants /sys/fs/cgroup to be mounted rw.
>> So on container startup, mountall will see that /sys/fs/cgroup is ro
>> and hang startup (waiting for the user to say whether to skip
>> or manually fix) because it's not allowed to remount /sys/fs/cgroup
>> rw.
> 
> Ouch.

Speaking of which, just came to my mind, since you probably only tested
your own patch: does mountall only complain about /sys/fs/cgroup or does
it also complain about the individual hierarchies? Because if it also
complains about the individual hierarchies, the proposed solution solves
nothing, and the only "correct" solution is to document that Ubuntu only
works with cgroup:rw and cgroup-full:rw, but not ro and mixed.

On a different note, also just came to my mind: Currently, :mixed is the
default for cgroup and cgroup-full. But :mixed only works properly if
the container doesn't have CAP_SYS_ADMIN, otherwise this is just
obfuscation (you need to know that you have to remount the cgroup tree
to escape your own cgroup). Therefore, it might be sensible to do the
following:

- :mixed is the default if cap_sys_admin is to be dropped
- :rw is the default if cap_sys_admin is not dropped for the container

If somebody really needs :mixed even with cap_sys_admin, they can
explicitly specify that, but with this logic we won't give admins a
false sense of security when they try to see if they can escape the
cgroup in the default setting. Thoughts?

Regards,
Christian