[systemd-devel] [Q] About supporting nested systemd daemon
Cyrill Gorcunov
gorcunov at gmail.com
Tue Feb 24 13:05:15 PST 2015
Hi all! I would really appreciate if someone enlighten me if there is some simple
solution for the problem we met in OpenVZ: modern containers are mostly systemd
based so that once it is started up the systemd daemon mounts own instance of
the systemd cgroup (if previously has not been pre-mounted by container startup
tools or whatever). To make a strict isolation of nested systemd cgroup (by
"nested" I mean systemd cgroup instance mounted inside container) we've patched
the kernel so that container's systemd obtains own instance of cgroup non-intersected
anyhow with one present on a host system.
And we would really love to get rid of this kind of kernel's hack but be able
to isolate nested systemd with own cgroup instance using solely userspace
tools. Is there some way to reach this?
If I understand correctly we can provide separate slice to container's
systemd leaving the rest of host cgroup in ro mode, right? If so maybe
there a way to hide host cgroup completely from container so it would see
only own cgroup in sysfs?
More information about the systemd-devel
mailing list