[lxc-devel] [lxc-users] Does cpu cgroup has been enabled in lxc/lxd
kemi
kemi.wang at intel.com
Thu Nov 1 07:16:17 UTC 2018
On 2018/11/1 下午2:53, Fajar A. Nugraha wrote:
> On Thu, Nov 1, 2018 at 1:38 PM, kemi <kemi.wang at intel.com> wrote:
>
>>>> g) and h) read files from /proc, not cgroup. You need lxcfs. You should
>>>> already have that on ubuntu though.
>>>>
>>>>
>>
>> /proc/cpuinfo also matches the expected result.
>> However, it seems that sysfs in container still shares with host /sys
>> file system.
>> Right?
>>
>>
>>
> Correct. See https://linuxcontainers.org/lxcfs/introduction/
>
OK, then I have a question on scalability and security issues on running multiple containers.
Background: Our customers hope to run hundreds or even thousands of containers in their production environment.
Sharing sysfs of containers with host sysfs in lxc/lxd may have:
a) security issue.
If a malicious program in a container changes a sensitive file in /sys,
e.g. reduce CPU frequency, does it really works? Does it affect other running containers?
b) Scalability issue.
E.g. During launching a ubuntu OS(not kernel) or Android OS in a container,it usually use udev/ueventd
to manage their device. This device manager daemon will read or write uevent file in /sys, the kernel
then broadcast a uevent to all the listeners(udev daemon) via netlink, if there are already hundreds
of containers in the system, all of udev daemons need to deal with it, it would lead to a long boot
latency which we have observed in docker.
Anyway to fix that?
More information about the lxc-devel
mailing list