[systemd-devel] How to use cgroups within containers?
Lennart Poettering
lennart at poettering.net
Mon Oct 20 17:04:43 UTC 2014
On Mon, 20.10.14 18:55, Richard Weinberger (richard at nod.at) wrote:
> Am 20.10.2014 um 18:51 schrieb Lennart Poettering:
> > On Mon, 20.10.14 18:49, Richard Weinberger (richard at nod.at) wrote:
> >
> >> Am 20.10.2014 um 18:24 schrieb Lennart Poettering:
> >>> On Fri, 17.10.14 23:35, Richard Weinberger (richard.weinberger at gmail.com) wrote:
> >>>
> >>>> Dear systemd and container folks,
> >>>>
> >>>> at Plumbers the question raised how to provide cgroups to a systemd that lives
> >>>> in a container (with user namespaces).
> >>>> Due to the GDL train strikes I had to leave very soon and had no chance to
> >>>> talk to you in person.
> >>>>
> >>>> Was a solution proposed?
> >>>> All I want to know is how to provide cgroups in a sane and secure way
> >>>> to systemd. :-)
> >>>
> >>> The cgroups setup systemd requires to be able to run cleanly without
> >>> changes in a container is documented here:
> >>>
> >>> http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
> >>>
> >>> You have to mount the full cgroupfs hierarchies into the containers,
> >>> so that /proc/$PID/cgroup makes sense inside the containers (that file
> >>> lists absolute paths...). They can be mounted read-only up to the
> >>> container's root, but further down they need to be writable to the
> >>> container, so that systemd inside the container can do its job.
> >>
> >> And what solution do you propose?
> >
> > Solution? For what problem precisely?
>
> Running systemd inside Linux container (including user namespaces). :-)
>
> >> Will cgroup namespaces make systemd finally happy?
> >
> > I have no idea about cgroup namespaces and what they entail.
> >
> > systemd is quite happy already, if you follow the guidelines for
> > container managers we put together...
>
> Have you ever used systemd inside a container?
> Say, LXC or libvirt-lxc...
Have you read the link I posted?
Yes, I test systemd inside containers. Daily. Actually it's my primary
way of testing systemd, since it is extremely quick and allows me to
attach from the host with debugging tools...
As long as you follow the suggestions in the document I linked systemd
will work without modifications in container managers. At least
libvirt-lxc and nspawn follows these suggestions, not sure about the
other container managers.
Also read:
http://www.freedesktop.org/wiki/Software/systemd/writing-vm-managers/
We have documented this all so nicely, I can only recommend to
actually take the time to read this. Thanks!
Lennart
--
Lennart Poettering, Red Hat
More information about the Containers
mailing list