[systemd-devel] Questions around cgroups, systemd, containers

Lewis Gaul lewis.gaul at gmail.com
Fri May 20 16:12:05 UTC 2022 

Hi all,

I've been trying to get a deeper understanding of Linux cgroups and their
use with containers/systemd over the last few months. I have a few
questions, but given the amount of context around the questions I've
written up my understanding in a blog post at
https://www.lewisgaul.co.uk/blog/coding/2022/05/13/cgroups-intro/ and the
questions in another blog post at
https://www.lewisgaul.co.uk/blog/coding/rough/2022/05/20/cgroups-questions/.

If anyone has any thoughts/input/answers that would be much appreciated!
I'm planning on cross-posting in a few places such as podman/docker/kernel
mailing lists/communities, but in particular any input specific to the
systemd oriented questions would be great.

To summarize the questions (taken from the second post linked above):
- Why are private cgroups mounted read-only in non-privileged containers?
- Is it sound to override Docker’s mounting of the private container
cgroups under v1?
  - What are the concerns around the approach of passing '-v
/sys/fs/cgroup:/sys/fs/cgroup' in terms of the container’s view of its
cgroups?
  - Is modifying/replacing the cgroup mounts set up by the container engine
a reasonable workaround, or could this be fragile?
- When is it valid to manually manipulate container cgroups?
  - Do container managers such as Docker and Podman correctly delegate
cgroups on hosts running Systemd?
  - Are these container managers happy for the container to take ownership
of the container’s cgroup?
- Why are the container’s cgroup limits not set on a parent cgroup under
Docker/Podman?
  - Why doesn’t Docker use another layer of indirection in the cgroup
hierarchy such that the limit is applied in the parent cgroup to the
container?
- What happens if you have two of the same cgroup mount?
  - Are there any gotchas/concerns around manipulating cgroups via multiple
mount points?
- What’s the correct way to check which controllers are enabled?
  - What is it that determines which controllers are enabled? Is it kernel
configuration applied at boot?
  - Is it possible to have some controllers enabled for v1 at the same time
as others are enabled for v2?

Thanks in advance,
Lewis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20220520/edd0841c/attachment.htm>

More information about the systemd-devel mailing list