Re: [systemd-devel] How to use cgroups within containers?

[Richard Weinberger <richard-/L3Ra7n9ekc@public.gmane.org>]

Am 20.10.2014 um 19:27 schrieb Lennart Poettering:
> On Mon, 20.10.14 19:16, Richard Weinberger (richard-/L3Ra7n9ekc@public.gmane.org) wrote:
> 
>>> Have you read the link I posted?
>>
>> Sure, I've also been in the room in Düsseldorf while you've read it
>> in front of us.
> 
> Not that I changed it since then... ;-)
> 
>>> Yes, I test systemd inside containers. Daily. Actually it's my primary
>>> way of testing systemd, since it is extremely quick and allows me to
>>> attach from the host with debugging tools...
>>>
>>> As long as you follow the suggestions in the document I linked systemd
>>> will work without modifications in container managers. At least
>>> libvirt-lxc and nspawn follows these suggestions, not sure about the
>>> other container managers.
>>
>> If I read the source of nspwan correctly, it does not use user
>> namespaces.
> 
> Ah, this is about user namespaces? No I have not played around with
> them so far. Sorry.

Yep. Please have a look at them. There are some pitfalls.

>> libvirt-lxc is currently not sure how to support systemd. So far it
>> bind mounts only the machine specific part of cgroups into the container.
>> Which is not really nice but better than exposing the whole hierarchy into
>> the container.
> 
> It really should also bind mount the upper parts, but possibly mark
> them read-only (which nspawn currently doesn't do).

Okay. Or maybe cgroup namespaces will help.
Let's find out. :)

Thanks,
//richard