Re: [systemd-devel] How to use cgroups within containers?

[Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org>]

Am 20.10.2014 um 18:51 schrieb Lennart Poettering:
> On Mon, 20.10.14 18:49, Richard Weinberger (richard-/L3Ra7n9ekc@public.gmane.org) wrote:
> 
>> Am 20.10.2014 um 18:24 schrieb Lennart Poettering:
>>> On Fri, 17.10.14 23:35, Richard Weinberger (richard.weinberger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org) wrote:
>>>
>>>> Dear systemd and container folks,
>>>>
>>>> at Plumbers the question raised how to provide cgroups to a systemd that lives
>>>> in a container (with user namespaces).
>>>> Due to the GDL train strikes I had to leave very soon and had no chance to
>>>> talk to you in person.
>>>>
>>>> Was a solution proposed?
>>>> All I want to know is how to provide cgroups in a sane and secure way
>>>> to systemd. :-)
>>>
>>> The cgroups setup systemd requires to be able to run cleanly without
>>> changes in a container is documented here:
>>>
>>> http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
>>>
>>> You have to mount the full cgroupfs hierarchies into the containers,
>>> so that /proc/$PID/cgroup makes sense inside the containers (that file
>>> lists absolute paths...). They can be mounted read-only up to the
>>> container's root, but further down they need to be writable to the
>>> container, so that systemd inside the container can do its job.
>>
>> And what solution do you propose?
> 
> Solution? For what problem precisely?

Running systemd inside Linux container (including user namespaces). :-)

>> Will cgroup namespaces make systemd finally happy?
> 
> I have no idea about cgroup namespaces and what they entail.
> 
> systemd is quite happy already, if you follow the guidelines for
> container managers we put together...

Have you ever used systemd inside a container?
Say, LXC or libvirt-lxc...

Thanks,
//richard