[systemd-devel] How to use cgroups within containers?

Lennart Poettering lennart at poettering.net
Mon Oct 20 16:51:29 UTC 2014


On Mon, 20.10.14 18:49, Richard Weinberger (richard at nod.at) wrote:

> Am 20.10.2014 um 18:24 schrieb Lennart Poettering:
> > On Fri, 17.10.14 23:35, Richard Weinberger (richard.weinberger at gmail.com) wrote:
> > 
> >> Dear systemd and container folks,
> >>
> >> at Plumbers the question raised how to provide cgroups to a systemd that lives
> >> in a container (with user namespaces).
> >> Due to the GDL train strikes I had to leave very soon and had no chance to
> >> talk to you in person.
> >>
> >> Was a solution proposed?
> >> All I want to know is how to provide cgroups in a sane and secure way
> >> to systemd. :-)
> > 
> > The cgroups setup systemd requires to be able to run cleanly without
> > changes in a container is documented here:
> > 
> > http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
> > 
> > You have to mount the full cgroupfs hierarchies into the containers,
> > so that /proc/$PID/cgroup makes sense inside the containers (that file
> > lists absolute paths...). They can be mounted read-only up to the
> > container's root, but further down they need to be writable to the
> > container, so that systemd inside the container can do its job.
> 
> And what solution do you propose?

Solution? For what problem precisely?

> Will cgroup namespaces make systemd finally happy?

I have no idea about cgroup namespaces and what they entail.

systemd is quite happy already, if you follow the guidelines for
container managers we put together...

Lennart

-- 
Lennart Poettering, Red Hat


More information about the Containers mailing list