[lxc-devel] [lxc-users] docker in lxc

Serge Hallyn serge.hallyn at ubuntu.com
Wed Nov 18 16:03:43 UTC 2015


Quoting Akshay Karle (akshay.a.karle at gmail.com):
> >
> >
> > So this may get fixed with cgroup namespaces,
> >
> > (i.e.
> > https://git.kernel.org/cgit/linux/kernel/git/sergeh/linux-security.git/log/?h=2015-11-10/cgroupns
> > ,
> > github.com/hallyn/lxcfs #2015-11-10/cgns and github.com/lxc/
> > #2015-11-09/cgns)
> >
> 
> This is great! Using this patch would mean that we don't need cgmanager or
> lxcfs, is that correct? Does it already work for unprivileged containers?

lxcfs would still be used for virtualizing some procfiles.  You wouldn't
need cgmanager, though I still prefer using it over cgroupfs for most things :)

It does work for unprivileged containers, although the fs flag to make it
so may not immediately hit upstream.

> If so, I can spend some time trying to generate a deb for the branch,
> create an unprivileged container and then try to start up the docker daemon
> inside the container to see the next step where it fails. I need to see if
> the process of generating debs is documented somewhere.
> 
> >
> > but of course for backward compatability that should still be fixed.  Which
> > requires choosing a way for docker to decide whether cgroups are in fact
> > mounted.
> >
> 
> For the backward compatibility, it would mean changing docker such that it
> can run without checking if the right cgroups are mounted?

Ideally we'd find some other reasonable foolproof way of telling whether
cgroups are actually mounted.  Cgmanager would be a lot easier here :)


More information about the lxc-devel mailing list