[lxc-users] sysvinit with cgroup namespace
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Apr 22 04:41:26 UTC 2016
Quoting Fajar A. Nugraha (list at fajar.net):
> On Thu, Apr 21, 2016 at 11:21 PM, Harald Dunkel <harri at afaics.de> wrote:
> > On 04/21/16 08:05, Fajar A. Nugraha wrote:
> >> On Wed, Apr 20, 2016 at 6:50 PM, Harald Dunkel <harald.dunkel at aixigo.de> wrote:
> >>> Hi folks,
> >>>
> >>> AFAIR the idea of the containers was to provide isolation
> >>> between the host and the user-space instances.
> >>>
> >>> Are we loosing this with systemd support?
> >>
> >> What makes you think that?
> >>
> >> The host only needs systemd cgroup mount, it doesn't need to run systemd.
> >>
> >
> > AFAIU you cannot run systemd in a LXC container dom1, unless
> > these cgroup mount points are setup in dom0 for some initia-
> > lization.
>
> There are requirements in the host, yes.
> Even without systemd in the container, you'd still need cgroup support
> in the host.
>
> > I am not sure if this still counts as "isolated".
> > Shouldn't systemd in dom1 just work, no matter what?
>
> If that's what you want for "isolation", then use KVM.
>
> Looking at /usr/share/lxcfs/lxc.mount.hook, if you have kernel with
> cgroup namespace support, you might not need to setup host cgroup.
> CMIIW
>
> # no need for lxcfs cgroups if we have cgroup namespaces
> [ -n "$LXC_CGNS_AWARE" ] && [ -f /proc/self/ns/cgroup ] && exit 0
Which actually brings up an interesting point. If you
mount -t cgroup -o none,name=foo foo /sys/fs/cgroup/foo
in a container, and name=foo has not previously been mounted,
thenthat container will own the name=foo hierarchy, and not be
namespaced there. If another container with a different uidmapping
mounts the same hierarchy, it will see the translated uids (most
likely -1) owning the hierarchy.
So you really don't want to wait for the first container to
mount the name=systemd hierarchy, unless you will have no
other containers.
More information about the lxc-users
mailing list