[Lxc-users] lxc on Fedora 15

Serge Hallyn serge.hallyn at canonical.com
Tue May 31 14:38:26 UTC 2011


Quoting Daniel Lezcano (daniel.lezcano at free.fr):
> On 05/31/2011 01:44 PM, Ramez Hanna wrote:
> > On Tue, May 31, 2011 at 2:07 PM, Daniel Lezcano<daniel.lezcano at free.fr>wrote:
> >
> >> On 05/31/2011 12:33 PM, Ramez Hanna wrote:
> >>
> >>> it seems that lxc cannot handle cgroups when capabilities are not all in
> >>> the
> >>> same mount
> >>> it fails now because it cannot write the devices.deny in the cgroup
> >>> if i comment out all the lxc.cgroup.devices lines in the config of the
> >>> container then i can actually start it
> >>>
> >>> I would think that the way lxc identifies the cgroup mount might be the
> >>> part
> >>> that needs patching
> >>>
> >> Thanks for investigating.
> >>
> >> The main problem is lxc is cgroup agnostic, so we should find a solution
> >> where we don't break that.
> >>
> >> Maybe one solution would be to collect all the mount points found for the
> >> cgroup and try to find the right path when writing or reading from one
> >> cgroup file.
> >>
> > that is what i had in mind, tried looking into the code but my C skills are
> > next to zero
> >
> >> Does systemd run lxc within a cgroup which is not the root cgroup ?
> >>
> >> the lxc-start command would run under $user/master/
> > (/sys/fs/cgroup/systemd/$user/$master)
> > and the container itself would run under $container_name
> > (/sys/fs/cgroup/systemd/$container_name)
> > so it would run the container in the root cgroup
> 
> ouch ! I have to install systemd on a test machine to check how systemd 
> plays with the cgroup.
> I don't think the cgroup created by lxc should escape the cgroup the 
> command is assigned to.

Another similar - and easier to setup - thing we need to address is running
on a system with libcgroup installed.

For both, I assume it'll basically come down to:

  1. figure out the path of the cgroup we are in for each cgroup we care
     about
  2. create new child cgroup for ourselves in each of the above paths whic
     is unique
  3. track those through the lifetime of the container

So it just slightly complicates what's being done now.

-serge




More information about the lxc-users mailing list