[lxc-users] cgroup settings not honored
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Oct 20 20:18:08 UTC 2014
Quoting Patrick Brauer (mercora at lileth.net):
> Ok, i found out what made the rules fail... But not why cgmanager
> behaved like it did... systemd (yuck, again) mounts cgroups inside the
> container and rearranges its own tasks making any settings previously
> made ineffective... premounting it ro did indeed made systemd aware
> that i wont like it to mess around with these... Although that does
> not make it impossible, at least it does behave like i would like it
> to. Dropping sys_admin seem to let it fail early because it wants to
> mount several filesystems and i need to investigate further if it
> would be enough to premount them....
>
> However, this is not an issue with lxc (but with cgmanager maybe). I
> was assuming that containers should not be able to do these kind of
> things which was just wrong... anyhow, thanks to anybody listening ^^
If you used selinux or apparmor, then the containers should not be
able to mount cgroup filesystems themselves. Of course on its own
that would just prevent systemd from running.
Have you tried adding
lxc.mount.auto = cgroup:mixed
to your container config file? That should give systemd a set of
cgroup filesystems mounted by default. Whether it will then honor
the cgroup it was placed in at startup I'm not sure, but it would
be interesting to know.
The cgroup namespaces which were resent to lkml last week should
give us a proper solution to this.
More information about the lxc-users
mailing list