[systemd-devel] How to use cgroups within containers?
Richard Weinberger
richard at nod.at
Mon Oct 20 10:16:05 PDT 2014
Am 20.10.2014 um 19:04 schrieb Lennart Poettering:
> On Mon, 20.10.14 18:55, Richard Weinberger (richard at nod.at) wrote:
>
>> Am 20.10.2014 um 18:51 schrieb Lennart Poettering:
>>> On Mon, 20.10.14 18:49, Richard Weinberger (richard at nod.at) wrote:
>>>
>>>> Am 20.10.2014 um 18:24 schrieb Lennart Poettering:
>>>>> On Fri, 17.10.14 23:35, Richard Weinberger (richard.weinberger at gmail.com) wrote:
>>>>>
>>>>>> Dear systemd and container folks,
>>>>>>
>>>>>> at Plumbers the question raised how to provide cgroups to a systemd that lives
>>>>>> in a container (with user namespaces).
>>>>>> Due to the GDL train strikes I had to leave very soon and had no chance to
>>>>>> talk to you in person.
>>>>>>
>>>>>> Was a solution proposed?
>>>>>> All I want to know is how to provide cgroups in a sane and secure way
>>>>>> to systemd. :-)
>>>>>
>>>>> The cgroups setup systemd requires to be able to run cleanly without
>>>>> changes in a container is documented here:
>>>>>
>>>>> http://www.freedesktop.org/wiki/Software/systemd/ContainerInterface/
>>>>>
>>>>> You have to mount the full cgroupfs hierarchies into the containers,
>>>>> so that /proc/$PID/cgroup makes sense inside the containers (that file
>>>>> lists absolute paths...). They can be mounted read-only up to the
>>>>> container's root, but further down they need to be writable to the
>>>>> container, so that systemd inside the container can do its job.
>>>>
>>>> And what solution do you propose?
>>>
>>> Solution? For what problem precisely?
>>
>> Running systemd inside Linux container (including user namespaces). :-)
>>
>>>> Will cgroup namespaces make systemd finally happy?
>>>
>>> I have no idea about cgroup namespaces and what they entail.
>>>
>>> systemd is quite happy already, if you follow the guidelines for
>>> container managers we put together...
>>
>> Have you ever used systemd inside a container?
>> Say, LXC or libvirt-lxc...
>
> Have you read the link I posted?
Sure, I've also been in the room in Düsseldorf while you've read it in front of us.
> Yes, I test systemd inside containers. Daily. Actually it's my primary
> way of testing systemd, since it is extremely quick and allows me to
> attach from the host with debugging tools...
>
> As long as you follow the suggestions in the document I linked systemd
> will work without modifications in container managers. At least
> libvirt-lxc and nspawn follows these suggestions, not sure about the
> other container managers.
If I read the source of nspwan correctly, it does not use user namespaces.
libvirt-lxc is currently not sure how to support systemd. So far it
bind mounts only the machine specific part of cgroups into the container.
Which is not really nice but better than exposing the whole hierarchy into
the container.
This is why I was asking for cgroup namespaces...
> Also read:
>
> http://www.freedesktop.org/wiki/Software/systemd/writing-vm-managers/
>
> We have documented this all so nicely, I can only recommend to
> actually take the time to read this. Thanks!
Thanks a lot!
//richard
More information about the systemd-devel
mailing list