[lxc-devel] [PATCH] cgfs: don't mount /sys/fs/cgroup readonly

[Serge Hallyn]

Quoting Christian Seiler (christian at iwakd.de):
> Hi again,
> 
> >> On an ubuntu system, mountall wants /sys/fs/cgroup to be mounted rw.
> >> So on container startup, mountall will see that /sys/fs/cgroup is ro
> >> and hang startup (waiting for the user to say whether to skip
> >> or manually fix) because it's not allowed to remount /sys/fs/cgroup
> >> rw.
> > 
> > Ouch.
> 
> Speaking of which, just came to my mind, since you probably only tested
> your own patch: does mountall only complain about /sys/fs/cgroup or does
> it also complain about the individual hierarchies? Because if it also

I did only test my own patch, however mountall is only trying to mount
the things listed in /lib/init/fstab, which is

none            /sys/fs/cgroup            tmpfs           optional,uid=0,gid=0,mode=0755,size=1024     0 0

Really since 'rw' is not there, it *could* imo be argued that remounting
if it's ro is wrong...

> complains about the individual hierarchies, the proposed solution solves
> nothing, and the only "correct" solution is to document that Ubuntu only
> works with cgroup:rw and cgroup-full:rw, but not ro and mixed.
> 
> On a different note, also just came to my mind: Currently, :mixed is the
> default for cgroup and cgroup-full. But :mixed only works properly if
> the container doesn't have CAP_SYS_ADMIN, otherwise this is just
> obfuscation (you need to know that you have to remount the cgroup tree
> to escape your own cgroup). Therefore, it might be sensible to do the
> following:
> 
> - :mixed is the default if cap_sys_admin is to be dropped
> - :rw is the default if cap_sys_admin is not dropped for the container

That sounds sensible.

> If somebody really needs :mixed even with cap_sys_admin, they can
> explicitly specify that, but with this logic we won't give admins a
> false sense of security when they try to see if they can escape the
> cgroup in the default setting. Thoughts?