From: Gao feng <gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
To: Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org,
lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org,
ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org,
serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org,
glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org
Subject: Re: [RFC PATCH 0/9] Add container support for cgroup
Date: Tue, 18 Dec 2012 13:37:17 +0800 [thread overview]
Message-ID: <50D0010D.3020201@cn.fujitsu.com> (raw)
In-Reply-To: <20121217234816.GA10220-9pTldWuhBndy/B6EtB590w@public.gmane.org>
Hello Tejun
On 2012/12/18 07:48, Tejun Heo wrote:
> Hello,
>
> On Mon, Dec 17, 2012 at 02:43:26PM +0800, Gao feng wrote:
>> Right now,if we mount cgroup in the container,we will get
>> host's cgroup informations and even we can change host's
>> cgroup in container.
>>
>> So the resource controller of the container will lose
>> effectiveness.
>>
>> This patchset try to add contianer support for cgroup.
>> the main idea is allocateing cgroup super-block for each
>> cgroup mounted in different pid namespace.
>>
>> The top cgroup of container will share css with host.
>> When the cgroup being mounted in contianer,the tasks in
>> this container will be attached to this new mounted
>> hierarchy's top cgroup, And when unmounting cgroup in
>> container,these tasks will be attached back to host's cgroup.
>>
>> Since the container can change the shared css through it's
>> cgroup subsystem files. patch 7/8 disable the write permission
>> of container's top cgroup files. In my TODO list, container
>> will have it's own css, this problem will disappear.
>>
>> This patchset is sent as RFC,any comments are welcome.
>> Maybe this isn't the best solution, if you have better
>> solution,Please let me know.
>
> So, I'm *highly* unlikely to accept any patches which try to add
> namespace support directly to cgroup in any form unless someone can
> definitively show me this can't be done using FUSE or other userland
> solutions.
>
> cgroupfs is going to be an interface to expose the resource control
> facilities of the kernel and that's the extent the interface will be
> capable of. It in itself won't support delegation of resource
> policies to names spaces or unprivieged users.
>
> Although I don't have anything concrete yet, the tentative plan is to
> have something in userland which can integrate with the base system so
> that userland has an unified and controlled way to interact with
> cgroup which can be easily integrated with the rest of the base system
> and kernel has at least some level of interface isolation. Basically,
> something like libudev or libsysfs.
As your advice,the container's interface will be changed in container.
Container will not be able to enable cgroup by the command:
"mount -t cgroup -o xxx xxx /path".
Though something like libudev or libsysfs can afford the interface for
container to get and set cgroups.But the interface provided by cgroupfs
will lose effectiveness in container.
>
> So, if people want to allow NSes control its subtree of cgroups, I
> really want something in the userland which sits between the NSes and
> actual cgroup, and I bet things would actually be much better that
> way. cgroupfs seems to allow it but you can't really delegate
> management of subtree easily. Controllers would collapse with
> increasing level of nesting, root cgroups have different knobs or
> different interpretations of the same knobs, and siblings interact
> with each other, and I don't think making cgroupfs interface generic
> enough so that it can be used for all that is desirable or a
> worthwhile effort.
>
I recognize it's not easy,BUT I just want the usage of the OS which
running in container as same as the host.
Thanks.
next prev parent reply other threads:[~2012-12-18 5:37 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-17 6:43 [RFC PATCH 0/9] Add container support for cgroup Gao feng
[not found] ` <1355726615-15224-1-git-send-email-gaofeng-BthXqXjhjHXQFUHtdCDX3A@public.gmane.org>
2012-12-17 6:43 ` [RFC PATCH 1/9] cgroup: introduce cgroupfs_root flag ROOT_NAMESPACE Gao feng
2012-12-17 6:43 ` Gao feng
2012-12-17 6:43 ` [RFC PATCH 2/9] cgroup: introduce the top root Gao feng
2012-12-17 6:43 ` Gao feng
2012-12-17 6:43 ` [RFC PATCH 3/9] cgroup: use root->top_root instead of root Gao feng
2012-12-17 6:43 ` Gao feng
2012-12-17 6:43 ` [RFC PATCH 4/9] introduce helper function cgroup_in_root Gao feng
2012-12-17 6:43 ` Gao feng
2012-12-17 6:43 ` [RFC PATCH 5/9] cgroup: add container support for cgroup Gao feng
2012-12-17 6:43 ` Gao feng
2012-12-17 6:43 ` [RFC PATCH 6/9] pidns: move next_tgid to kernel/pid.c Gao feng
2012-12-17 6:43 ` Gao feng
2012-12-17 6:43 ` [RFC PATCH 7/9] cgroup: attach container's tasks to proper cgroup Gao feng
2012-12-17 6:43 ` Gao feng
2012-12-17 6:43 ` [RFC PATCH 8/9] cgroup: disallow container to change top cgroup's subsys files Gao feng
2012-12-17 6:43 ` Gao feng
2012-12-17 6:43 ` [RFC PATCH 9/9] cgroup: rework cgroup_path Gao feng
2012-12-17 6:43 ` Gao feng
2012-12-17 8:08 ` [RFC PATCH 0/9] Add container support for cgroup Glauber Costa
[not found] ` <50CED2FD.1040509-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-12-17 8:54 ` Gao feng
2012-12-17 8:54 ` Gao feng
2012-12-19 21:39 ` Serge Hallyn
2012-12-19 21:39 ` Serge Hallyn
2012-12-17 8:08 ` Glauber Costa
2012-12-17 13:16 ` Serge Hallyn
2012-12-17 13:16 ` Serge Hallyn
2012-12-17 23:48 ` Tejun Heo
[not found] ` <20121217234816.GA10220-9pTldWuhBndy/B6EtB590w@public.gmane.org>
2012-12-17 23:54 ` Eric W. Biederman
[not found] ` <87obhsgrq7.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-12-17 23:56 ` Tejun Heo
2012-12-18 5:37 ` Gao feng
2012-12-18 5:37 ` Gao feng [this message]
-- strict thread matches above, loose matches on Subject: below --
2012-12-17 6:43 Gao feng
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50D0010D.3020201@cn.fujitsu.com \
--to=gaofeng-bthxqxjhjhxqfuhtdcdx3a@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=containers-cunTk1MwBs9QetFLy7KEm3xJsTq8ys+cHZ5vskTnxNA@public.gmane.org \
--cc=ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org \
--cc=glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org \
--cc=lizefan-hv44wF8Li93QT0dZR+AlfA@public.gmane.org \
--cc=serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.