A control group manager

Posted Nov 5, 2014 19:31 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
Parent article: A control group manager

Cgroups maintainer should be hit with a cluebat a little bit harder. At least they've abandoned their insane plan to limit cgroups access to one process.

The next step is to admit that actually replicating all the access controls in userspace is a not-so-smart task and add cgroups namespacing. With the single tree mode it's also a pretty logical thing to do.

A control group manager

Posted Nov 5, 2014 22:20 UTC (Wed) by stgraber (subscriber, #57367) [Link] (3 responses)

There are patches currently being reviewed to do just that.
With those patches, it's possible for a task that's already in a cgroup say /cg1 to unshare the cgroup namespace and then appear as being cgroup / but have that new / actually refer to /cg1 from the host's point of view.

That means that we can finally have containers mount cgroupfs and write assuming that / means their namespace rather than have to jump through hoops and bind-mount part of the hierarchy read-only and part of it writable.

A control group manager

Posted Nov 6, 2014 0:28 UTC (Thu) by luto (guest, #39314) [Link] (1 responses)

The current set of patches look pretty good. I wouldn't be surprised if they make it in to 3.19.

They're not the full solution, though -- whatever manages cgroups on the host will have to play along to a limited extent. It remains to be seen whether systemd will do so. I imagine it will.

A control group manager

Posted Nov 7, 2014 5:53 UTC (Fri) by CameronNemo (guest, #94700) [Link]

I would think so as well; the systemd maintainers have in general been willing to follow the direction that the cgroups maintainer wants to go in (and not any other direction, AFAICS).

A control group manager

Posted Nov 6, 2014 2:31 UTC (Thu) by Cyberax (✭ supporter ✭, #52523) [Link]

Wow. Can I buy beer for the guy who wrote these patches?