[lxc-users] Using predefined cgroups
Dr. Todor Dimitrov
dimitrov at technology.de
Tue May 16 05:21:56 UTC 2017
My understanding is that the unprivileged user owning the container can still alter the cgroups, right?
The use case that we have in mind is to allow an unprivileged user run a preconfigured container, which configuration is only writable for power users. Ideally the unprivileged user should not be able to meddle with the cgroups or even create new containers.
Is such a scenario feasible to implement using LXC and cgroups?
Todor
> On 16. May 2017, at 05:31, Fajar A. Nugraha <list at fajar.net> wrote:
>
> On Tue, May 16, 2017 at 1:18 AM, Dr. Todor Dimitrov <dimitrov at technology.de <mailto:dimitrov at technology.de>> wrote:
> Hallo,
>
> LXC automatically creates the "/sys/fs/cgroup/*/lxc/some-container-name" cgroups, which are setup to reflect the restrictions as defined in the container configuration file. I was wondering whether it would be possible to use a predefined cgroups hierarchy, which is not writable by LXC. Thus it would be possible for a super-user to place resource restrictions for the containers run by the unprivileged users. Is it possible to implement such a scenario using cgroups?
>
>
> It should already does what you want. IIRC unpriv containers are unable to increase their limits by writing to the cgroup. And if needed, root on the host could always write values to the desired cgroups.
>
> Any particular use case in mind?
>
> --
> Fajar
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170516/de6884d7/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3561 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20170516/de6884d7/attachment-0001.bin>
More information about the lxc-users
mailing list