cgroup attach/fork hooks consistency with the ns_cgroup

Serge E. Hallyn serue at
Thu Jun 18 06:45:27 PDT 2009

Quoting Paul Menage (menage at
> On Wed, Jun 17, 2009 at 2:26 PM, Serge E. Hallyn<serue at> wrote:
> >
> > The ns cgroup is really only good for preventing root in a container
> > from escaping its cgroup-imposed limits.  The same can be done today
> > using smack or selinux, and eventually will be possible using user
> > namespaces.  Would anyone object to removing ns_cgroup?
> Sounds reasonable to me. It feels to me that there ought to be some
> good way to integrate namespaces and cgroups, but I'm not quite sure
> exactly how, and ns_cgroup sort of hovers in the "toy" category rather
> than something very useful.

So the question becomes: does the presence of the ns cgroup constitute
an API?  Can we just yank it out?

Daniel, AFAIK liblxc is the only thing that actually uses it.  Do
you mind manually moving the container init into a new cgroup?


More information about the Containers mailing list