Re: [systemd-devel] How to use cgroups within containers?

[Lennart Poettering <lennart-mdGvqq1h2p+GdvJs77BJ7Q@public.gmane.org>]

On Mon, 20.10.14 18:49, Richard Weinberger (richard-/L3Ra7n9ekc@public.gmane.org) wrote:

> Am 20.10.2014 um 18:24 schrieb Lennart Poettering:
> > On Fri, 17.10.14 23:35, Richard Weinberger (richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org) wrote:
> > 
> >> Dear systemd and container folks,
> >>
> >> at Plumbers the question raised how to provide cgroups to a systemd that lives
> >> in a container (with user namespaces).
> >> Due to the GDL train strikes I had to leave very soon and had no chance to
> >> talk to you in person.
> >>
> >> Was a solution proposed?
> >> All I want to know is how to provide cgroups in a sane and secure way
> >> to systemd. :-)
> > 
> > The cgroups setup systemd requires to be able to run cleanly without
> > changes in a container is documented here:
> > 
> > http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
> > 
> > You have to mount the full cgroupfs hierarchies into the containers,
> > so that /proc/$PID/cgroup makes sense inside the containers (that file
> > lists absolute paths...). They can be mounted read-only up to the
> > container's root, but further down they need to be writable to the
> > container, so that systemd inside the container can do its job.
> 
> And what solution do you propose?

Solution? For what problem precisely?

> Will cgroup namespaces make systemd finally happy?

I have no idea about cgroup namespaces and what they entail.

systemd is quite happy already, if you follow the guidelines for
container managers we put together...

Lennart

-- 
Lennart Poettering, Red Hat