From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Serge E. Hallyn" Subject: Re: [patch 2/2] Remove the ns_cgroup Date: Mon, 28 Dec 2009 17:36:11 -0600 Message-ID: <20091228233611.GA6309@us.ibm.com> References: <20091228230454.000895089@mai.lab.toulouse-stg.fr.ibm.com> <20091228230623.907397717@mai.lab.toulouse-stg.fr.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Content-Disposition: inline In-Reply-To: <20091228230623.907397717-7Ha4D/yM3XKqUVqbrEjtMkN0fxke0PB7qyM6JfAXOaQ@public.gmane.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org Errors-To: containers-bounces-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org To: Daniel Lezcano Cc: containers-qjLDD68F18O7TbgM5vRIOg@public.gmane.org, Paul Menage , "Eric W. Biederman" List-Id: containers.vger.kernel.org Quoting Daniel Lezcano (daniel.lezcano-GANU6spQydw@public.gmane.org): > The ns_cgroup is an annoying cgroup at the namespace / cgroup frontier. True. However, it remains - apart from using smack or SELinux - the only way to truly lock a container into a cgroup configuration. That's unlikely to change until we finally support user namespaces in the VFS. Do we worry about that? -serge