JFYI: i'm not going to drop rh7-revert-ve-mark because otherwise cgroups
mounted in 1 CT will be visible from other Containers as well.
(those cgroups which are mounted during CT start or restore).
At the moment we don't know apps which require mounting cgroups inside Containers
(all known are able to work using bindmounts of existing cgroups) =>
prohibiting of cgroups mount inside a CT should not be a problem.
Once we find such an app, we'll think about cgroups virtualization in the scope
of 3.10-x kernel.
--
Best regards,
Konstantin Khorenko,
Virtuozzo Linux Kernel Team
On 01/16/2016 11:13 PM, Cyrill Gorcunov wrote:
Guys, we've found a problem in cgorups management code: currently we
allow to mount cgroups from inside of veX context which have a few
problems:
- performance issue (as Vladimir always pointed)
- security issue (as been fixed by Stas in commit
1867565c8c6df8c2a18e391d9e6d721cf29e251e)
I propose to being pseudosuper state which we gonna use
on restore procedure and disable mounting cgroups from
inside of veX context.
All cgroups needed should be prepared upon containers
starup procedure and nothing else allowed.
Please see changelogs for the patches attached.
Cyrill
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel
