[lxc-users] confusion with ``pam_cgroup`` and ``pam_cgfs`` for unprivileged containers
Serge E. Hallyn
serge at hallyn.com
Wed Jul 24 18:48:07 UTC 2019
On Wed, Jul 24, 2019 at 08:31:35PM +0200, Lukas Pirl wrote:
> Dear all,
>
> I struggle understanding the difference between ``pam_cgroup``
> and ``pam_cgfs`` and their respective relevance for running unprivileged
> containers.
>
> For what I understand, ``pam_cgroup`` puts (existing processes of users upon
> login and all future processes of) users in "their" writable cgroups
> and ``pam_cgfs`` creates those cgroups for users.
>
> I see that depending on which parameters are handed to ``pam_cgfs`` the
> unprivileged user has access to a certain controller or not.
> I further see that ``pam_cgroup`` is referenced nowhere in ``/etc`` but
> unprivileged containers start nonetheless.
>
> This confuses me. Do we need ``pam_cgroup``? And if so, what for?
>
> I'd be happy if anyone could clarify for me and the rest of the Internet. :)
pam_cgroup came out of libcgroup/group-bin. This was a long obsolete
effort to provide tools and a standard for use of cgroups by programs
and admins.
You probably don't want to use it.
pam_cgfs ships with lxc, used to ship with lxcfs. If you're using lxc
containers, you probably want to use it.
More information about the lxc-users
mailing list