[lxc-users] sysvinit with cgroup namespace
Fajar A. Nugraha
list at fajar.net
Fri Apr 22 02:32:15 UTC 2016
On Thu, Apr 21, 2016 at 11:21 PM, Harald Dunkel <harri at afaics.de> wrote:
> On 04/21/16 08:05, Fajar A. Nugraha wrote:
>> On Wed, Apr 20, 2016 at 6:50 PM, Harald Dunkel <harald.dunkel at aixigo.de> wrote:
>>> Hi folks,
>>>
>>> AFAIR the idea of the containers was to provide isolation
>>> between the host and the user-space instances.
>>>
>>> Are we loosing this with systemd support?
>>
>> What makes you think that?
>>
>> The host only needs systemd cgroup mount, it doesn't need to run systemd.
>>
>
> AFAIU you cannot run systemd in a LXC container dom1, unless
> these cgroup mount points are setup in dom0 for some initia-
> lization.
There are requirements in the host, yes.
Even without systemd in the container, you'd still need cgroup support
in the host.
> I am not sure if this still counts as "isolated".
> Shouldn't systemd in dom1 just work, no matter what?
If that's what you want for "isolation", then use KVM.
Looking at /usr/share/lxcfs/lxc.mount.hook, if you have kernel with
cgroup namespace support, you might not need to setup host cgroup.
CMIIW
# no need for lxcfs cgroups if we have cgroup namespaces
[ -n "$LXC_CGNS_AWARE" ] && [ -f /proc/self/ns/cgroup ] && exit 0
--
Fajar
More information about the lxc-users
mailing list