[lxc-users] Accessing cgroup sysfs entries from within a container

Serge Hallyn serge.hallyn at ubuntu.com
Mon Mar 31 15:51:36 UTC 2014


Quoting David Shwatrz (dshwatrz at gmail.com):
> Hello,
> 
> Suppose I want to be able to let a container access only the sysfs cgroup
>  of itself.
> To be more specific, if the container name is "fedoraCT", I want to
> let it access only /sys/fs/cgroup/blkio/lxc/fedoraCT (and the
> corresponding entries of the other controllers) and not be able to access
> /sys/fs/cgroup/blkio/lxc/ubuntoCT and /sys/fs/cgroup/blkio/lxc/CentOS_CT, etc.

lxc.mount.auto = cgroup:mixed should, I think, do this.  (the manpage is
misleading or wrong on this, I believe, but I did not test just now)

Note that for this to be safe with writeable mounts, you'll want to
create an extra cgroup layer, so that the kernel's enforcement of
hierarchical constraints works for you.

> Is it possible to achieve with currentl LXC release or latest git
> tree? Is using cgmanager on the host
> and cgproxy on the container can provide this currently ?

This will effectively do that, but you'll have to use the dbus interface
(or, the 'cgm' script shipped with cgmanager) to read the blkio values.
The cgroupfs won't be mounted in the container.


More information about the lxc-users mailing list