On Mon, 03.11.14 16:25, Martin Pitt (martin.p...@ubuntu.com) wrote: > Hello all, > > LXC upstream (in CC:) supports "unprivileged containers", i. e. you > can create a rootfs in your $HOME and then run lxc-start on it with > some initial preparation . While of course they have some limits, > they are very useful for a lot of applications and are by nature quite > safe towards other users/containers/services on the same machine. > > However, that requires putting at least the per-user session cgroup > (from logind) into *all* available cgroup controllers, not just the > "systemd" one, so that the per-user container actually has privileges > to create sub-cgroups under the session-cN.scope parent.
We cannot blindly add user scopes/slices into all cgroup controllers, since simply adding them to a cgroup might already affect on the runtime. For example, if you add a cgroup to the "cpu" controller then RT automatically becomes unavailable, and the processes get scheduled evenly against all other cgroups on the same level. Also, we cannot allow unprivileged access to most of the controllers, not even "cpu". You can easily configure contradicting parameters in the "cpu" controller in a way that can severely hurt the system. This is not different for the other controllers either. This isn't really something to solve in systemd, it requires kernel work (and that work is quite far actually, with the unified cgroup heirarchy). To say this clearly: unpriviliged access to any of the hierarchies but name=systemd is something we will *explicitly* not support until this is deemed safe by the kernel folks. Priviliged containers is less problematic, as they usually come without security guarantees anyway. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list firstname.lastname@example.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel