cgroup attach/fork hooks consistency with the ns_cgroup
Serge E. Hallyn
serue at us.ibm.com
Thu Jun 18 06:45:27 PDT 2009
Quoting Paul Menage (menage at google.com):
> On Wed, Jun 17, 2009 at 2:26 PM, Serge E. Hallyn<serue at us.ibm.com> wrote:
> > The ns cgroup is really only good for preventing root in a container
> > from escaping its cgroup-imposed limits. The same can be done today
> > using smack or selinux, and eventually will be possible using user
> > namespaces. Would anyone object to removing ns_cgroup?
> Sounds reasonable to me. It feels to me that there ought to be some
> good way to integrate namespaces and cgroups, but I'm not quite sure
> exactly how, and ns_cgroup sort of hovers in the "toy" category rather
> than something very useful.
So the question becomes: does the presence of the ns cgroup constitute
an API? Can we just yank it out?
Daniel, AFAIK liblxc is the only thing that actually uses it. Do
you mind manually moving the container init into a new cgroup?
More information about the Containers