From: ebiederm-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org (Eric W. Biederman)
To: Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org>
Cc: Glauber Costa <glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>,
Frederic Weisbecker
<fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Balbir Singh
<bsingharora-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
Pavel Emelyanov <xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>,
Suleiman-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org,
Daniel Lezcano
<daniel.lezcano-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>,
Tim Hockin <thockin-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Greg Thelen <gthelen-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Paul Turner <pjt-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
devel-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org,
Souhlal <ssouhlal-HZy0K5TPuP5AfugRpC6u6w@public.gmane.org>,
Tejun Heo <tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>,
Dave Kleikamp
<dave.kleikamp-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Dhaval Giani
<dhaval.giani-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
KAMEZAWA Hiroyuki
<kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org>,
Maxim-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org,
Johannes Weiner <hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org>,
Rohit Seth <rohitseth-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Patlasov <MPatlasov-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
Subject: Re: [Devel] Re: containers and cgroups mini-summit @ Linux Plumbers
Date: Thu, 26 Jul 2012 12:38:16 -0700 [thread overview]
Message-ID: <87ipdauxcn.fsf@xmission.com> (raw)
In-Reply-To: <20120726181629.GB17824@serge-laptop> (Serge Hallyn's message of "Thu, 26 Jul 2012 13:16:29 -0500")
Serge Hallyn <serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org> writes:
> (Sorry, please disregard my last email :)
>
> Yes, what we do now in ubuntu quantal is the bind mounts you mention,
> and only optionally (using a startup hook).
> Each container is brought up in say
> /sys/fs/cgroup/devices/lxc/container1/container1.real, and that dir is
> bind-mounted under /sys/fs/cgroup/devices in the guest. The guest
> is not allowed to mount cgroup fs himself.
>
> It's certainly not ideal (and in cases where cgroup allows you to
> raise your own limits, worthless). The 'fake cgroup root' has been
> mentioned before to address this. Definately worth discussing.
It is going to be interesting to see how all of the unprivileged
operations work when the user-namespaces start allowing unprivileged
users to do things (3.7 timeframe I hope).
I can see it making things both easier and harder. I would hope not
actually being root will make it easier to keep from raising your own
limits.
Running some operations as non-root will catch other places off guard
where people were definitely expecting nothing of the kind.
There are a couple of networking memory limits exposed through sysctl
that I don't expect we want everyone changing, that I need to figure out
how to separate out from the rest. A concept that hasn't existed
before.
Eric
next prev parent reply other threads:[~2012-07-26 19:38 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-07-11 21:41 containers and cgroups mini-summit @ Linux Plumbers Kir Kolyshkin
[not found] ` <4FFDF321.4030103-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2012-07-12 3:47 ` Serge Hallyn
2012-07-13 15:09 ` Kir Kolyshkin
[not found] ` <50003A13.4000201-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org>
2012-07-16 20:29 ` Serge Hallyn
2012-07-12 13:26 ` Frederic Weisbecker
2012-07-16 21:08 ` Dhaval Giani
2012-07-17 6:59 ` Balbir Singh
[not found] ` <CAKTCnzmhWZa=_+EE9rA63NuJf3kQ-bXNYStXmZXt8r2w-N02ag-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2012-07-18 10:36 ` James Bottomley
2012-07-17 7:26 ` Daniel Lezcano
[not found] ` <50051390.7010109-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
2012-07-25 8:48 ` Glauber Costa
2012-07-17 20:06 ` Tejun Heo
[not found] ` <20120717200606.GD24336-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2012-07-17 20:15 ` Paul Turner
2012-07-20 16:30 ` Johannes Weiner
2012-07-21 1:59 ` Kamezawa Hiroyuki
2012-07-25 8:55 ` Glauber Costa
[not found] ` <500FB473.3090606-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-07-25 10:00 ` Eric W. Biederman
[not found] ` <871uk0b1p4.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-07-25 10:00 ` Glauber Costa
[not found] ` <500FC3C9.4010005-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-07-25 10:02 ` [Devel] " Glauber Costa
[not found] ` <500FC44C.1030606-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-07-25 11:16 ` Eric W. Biederman
2012-07-26 11:16 ` Andrea Righi
2012-07-25 10:53 ` Glauber Costa
[not found] ` <500FD022.6000608-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-07-25 11:51 ` Serge Hallyn
2012-07-25 11:52 ` Glauber Costa
[not found] ` <500FDE1B.4090907-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-07-25 12:15 ` Serge Hallyn
2012-07-26 3:57 ` Eric W. Biederman
[not found] ` <877gtr6uo5.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-07-26 9:16 ` Glauber Costa
[not found] ` <50110AE6.2080701-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-07-26 9:26 ` [Devel] " Glauber Costa
[not found] ` <50110D53.2090407-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-07-26 10:42 ` Eric W. Biederman
[not found] ` <874nou6bx1.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-07-26 18:15 ` Tejun Heo
[not found] ` <20120726181528.GA25660-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2012-07-26 19:19 ` Eric W. Biederman
[not found] ` <87a9ymwcsv.fsf-aS9lmoZGLiVWk0Htik3J/w@public.gmane.org>
2012-07-26 19:44 ` Tejun Heo
2012-07-26 18:16 ` Serge Hallyn
2012-07-26 19:38 ` Eric W. Biederman [this message]
2012-07-26 10:57 ` Eric W. Biederman
2012-07-26 18:09 ` Serge Hallyn
2012-08-02 8:37 ` Daniel Wagner
[not found] ` <501A3C48.6060607-kQCPcA+X3s7YtjvyW6yDsg@public.gmane.org>
2012-08-02 8:37 ` Glauber Costa
[not found] ` <501A3C4D.1020101-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org>
2012-08-02 9:42 ` Daniel Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ipdauxcn.fsf@xmission.com \
--to=ebiederm-as9lmozglivwk0htik3j/w@public.gmane.org \
--cc=MPatlasov-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org \
--cc=Maxim-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
--cc=Suleiman-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
--cc=bsingharora-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=cgroups-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=daniel.lezcano-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org \
--cc=dave.kleikamp-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=devel-GEFAQzZX7r8dnm+yROfE0A@public.gmane.org \
--cc=dhaval.giani-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=fweisbec-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=glommer-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org \
--cc=gthelen-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=hannes-druUgvl0LCNAfugRpC6u6w@public.gmane.org \
--cc=kamezawa.hiroyu-+CUm20s59erQFUHtdCDX3A@public.gmane.org \
--cc=pjt-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=rohitseth-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=serge.hallyn-Z7WLFzj8eWMS+FvcfC7Uqw@public.gmane.org \
--cc=ssouhlal-HZy0K5TPuP5AfugRpC6u6w@public.gmane.org \
--cc=thockin-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org \
--cc=tj-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org \
--cc=xemul-bzQdu9zFT3WakBO8gow8eQ@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).