[lxc-devel] [PATCH] cgfs: don't mount /sys/fs/cgroup readonly

[Serge Hallyn]

Quoting Christian Seiler (christian at iwakd.de):
> Hi,
> 
> > On an ubuntu system, mountall wants /sys/fs/cgroup to be mounted rw.
> > So on container startup, mountall will see that /sys/fs/cgroup is ro
> > and hang startup (waiting for the user to say whether to skip
> > or manually fix) because it's not allowed to remount /sys/fs/cgroup
> > rw.
> 
> Ouch.
> 
> Irrespective of what we do in LXC, perhaps mountall should also be fixed
> that if inside a container (env var ${container} set) and /sys/fs/cgroup
> is mounted ro, then it should just print a warning but not hang?

Unfortunately mountall just goes over a list in /lib/init/fstab, and
while there is the 'optional' keyword to day "it's ok if the fs is
not available" there is no keyword to say "if it is available then
it's ok if the mount fails".

I'm going to bite my tongue (ouch) and say this is one thing that
systemd may be doing better.

> (Obviously that doesn't absolve LXC from changing something, since this
> will never be backported to arbitrarily old versions of mountall, but I
> do think it's better for robustness.)
> 
> > Hm.  So IIUC lxc would have to (and, you're telling me, now does not)
> 
> Currently, it doesn't do that, no, because I saw no reason for it, since
> I saw no reason for /sys/fs/cgroup being rw itself until you mentioned
> the problem with Ubuntu.
> 
> > have the following mounts?
> > 
> >> /sys/fs/cgroup                  [tmpfs, rw]
> >> /sys/fs/cgroup/cpu              [tmpfs, ro]
> >> /sys/fs/cgroup/cpu/lxc/c1       [bind-mount of host, rw]
> 
> Yes, that would be a good solution for that. I still don't like it
> aesthetically that /sys/fs/cgroup is rw, but better a workaround than
> containers hanging at boot...
> 
> I'll post a patch that does that tomorrow. (I could write it easily just
> now in 5 minutes, but I do want to test it properly beforehand.)

Awesome, thanks!

-serge