[systemd-devel] Use of namespaced cgroups (aka Docker in systemd-nspawn containers)

Lee Hambley lee.hambley at gmail.com
Mon Jun 27 14:58:02 UTC 2016 

Hi List,

My company is currently conducting research into the most viable container
technology that fits our stack (CentOS based) and given our already
widespread reliance on systemd, I have a personal stake in preferring not
to introduce other tooling (LXD, the 2nd place leader) into our stack.

I'd like to know what is required to fulfil our use-case (Docker in
LXD/systemd-nspawn)

Here's what I (think I) know:

   - Docker can't run in systemd-nspawn because cgroup fs is mounted ro,
   and the systemd-nspwan container sees the entire system's cgroupfs (no
   namespacing)
   - cgroups filesystem normally mounted ro in containers, to protect the
   host (or, something related to privileged containers)
      - When mounted rw it can break the host (not the worst problem in the
      world, we're not defending against malice here, but apparently
it's trivial
      to brick the host by having systemd fight over ttys, etc)
      - it might be fair to say that privilidged containers
   - namespaces cgroups are relatively new in linux
      - available 4.6 [1]
      - backported to 4.4+ on Ubuntu kernels
   - We think LXD does something around setns() [2] to make sure that the
   container has a correct view of the cgroup "subtree".


I suspect something can be done in .nspawn files to grant certain
privileges to work around issues related to ro/rw cgroups trees, etc but I
think systemd-nspawn has to know about creating the correct cgroup
hierarchy before passing control to the

Please excuse the "idiot knows what he's talking about tone" I'm very deep
into this stuff today, and not in a good way.

Thanks sincerely,

---

[1]:
https://www.phoronix.com/scan.php?page=news_item&px=CGroup-Namespaces-Linux-4.6
[2]:
https://github.com/lxc/lxd/blob/c8a2956fae6d5d2092e17a3229e4640b53c8a854/lxd/nsexec.go#L107-L126

Lee Hambley
http://lee.hambley.name/
+49 (0) 170 298 5667
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20160627/118c08f1/attachment.html>

More information about the systemd-devel mailing list