[lxc-users] confusion with ``pam_cgroup`` and ``pam_cgfs`` for unprivileged containers

Lukas Pirl lxc-users at lukas-pirl.de
Wed Jul 24 18:31:35 UTC 2019


Dear all,

I struggle understanding the difference between ``pam_cgroup``
and ``pam_cgfs`` and their respective relevance for running unprivileged
containers.

For what I understand, ``pam_cgroup`` puts (existing processes of users upon
login and all future processes of) users in "their" writable cgroups
and ``pam_cgfs`` creates those cgroups for users.

I see that depending on which parameters are handed to ``pam_cgfs`` the
unprivileged user has access to a certain controller or not.
I further see that ``pam_cgroup`` is referenced nowhere in ``/etc`` but
unprivileged containers start nonetheless.

This confuses me. Do we need ``pam_cgroup``? And if so, what for?

I'd be happy if anyone could clarify for me and the rest of the Internet. :)

Cheers,

Lukas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20190724/7c19ce2d/attachment.sig>


More information about the lxc-users mailing list