[lxc-users] confusion with ``pam_cgroup`` and ``pam_cgfs`` for unprivileged containers

Serge E. Hallyn serge at hallyn.com
Wed Jul 24 18:48:07 UTC 2019


On Wed, Jul 24, 2019 at 08:31:35PM +0200, Lukas Pirl wrote:
> Dear all,
> 
> I struggle understanding the difference between ``pam_cgroup``
> and ``pam_cgfs`` and their respective relevance for running unprivileged
> containers.
> 
> For what I understand, ``pam_cgroup`` puts (existing processes of users upon
> login and all future processes of) users in "their" writable cgroups
> and ``pam_cgfs`` creates those cgroups for users.
> 
> I see that depending on which parameters are handed to ``pam_cgfs`` the
> unprivileged user has access to a certain controller or not.
> I further see that ``pam_cgroup`` is referenced nowhere in ``/etc`` but
> unprivileged containers start nonetheless.
> 
> This confuses me. Do we need ``pam_cgroup``? And if so, what for?
> 
> I'd be happy if anyone could clarify for me and the rest of the Internet. :)

pam_cgroup came out of libcgroup/group-bin.  This was a long obsolete
effort to provide tools and a standard for use of cgroups by programs
and admins.

You probably don't want to use it.

pam_cgfs ships with lxc, used to ship with lxcfs.  If you're using lxc
containers, you probably want to use it.


More information about the lxc-users mailing list