<div dir="ltr"><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Hi List,</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">My company is currently conducting research into the most viable container technology that fits our stack (CentOS based) and given our already widespread reliance on systemd, I have a personal stake in preferring not to introduce other tooling (LXD, the 2nd place leader) into our stack.</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">I'd like to know what is required to fulfil our use-case (Docker in LXD/systemd-nspawn)</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Here's what I (think I) know:</div><div class="gmail_default"><ul><li><font face="arial, helvetica, sans-serif">Docker can't run in systemd-nspawn because cgroup fs is mounted ro, and the systemd-nspwan container sees the entire system's cgroupfs (no namespacing)</font></li><li><font face="arial, helvetica, sans-serif">cgroups filesystem normally mounted ro in containers, to protect the host (or, something related to privileged containers)</font></li><ul><li><font face="arial, helvetica, sans-serif">When mounted rw it can break the host (not the worst problem in the world, we're not defending against malice here, but apparently it's trivial to brick the host by having systemd fight over ttys, etc)</font></li><li><font face="arial, helvetica, sans-serif">it might be fair to say that privilidged containers </font></li></ul><li><font face="arial, helvetica, sans-serif">namespaces cgroups are relatively new in linux</font></li><ul><li><font face="arial, helvetica, sans-serif">available 4.6 [1]</font></li><li><font face="arial, helvetica, sans-serif">backported to 4.4+ on Ubuntu kernels</font></li></ul><li><font face="arial, helvetica, sans-serif">We think LXD does something around setns() [2] to make sure that the container has a correct view of the cgroup "subtree".</font></li></ul></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">I suspect something can be done in .nspawn files to grant certain privileges to work around issues related to ro/rw cgroups trees, etc but I think systemd-nspawn has to know about creating the correct cgroup hierarchy before passing control to the </div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Please excuse the "idiot knows what he's talking about tone" I'm very deep into this stuff today, and not in a good way.<br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">Thanks sincerely,</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">---</div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">[1]: <a href="https://www.phoronix.com/scan.php?page=news_item&px=CGroup-Namespaces-Linux-4.6">https://www.phoronix.com/scan.php?page=news_item&px=CGroup-Namespaces-Linux-4.6</a></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif">[2]: <a href="https://github.com/lxc/lxd/blob/c8a2956fae6d5d2092e17a3229e4640b53c8a854/lxd/nsexec.go#L107-L126">https://github.com/lxc/lxd/blob/c8a2956fae6d5d2092e17a3229e4640b53c8a854/lxd/nsexec.go#L107-L126</a></div><div class="gmail_default" style="font-family:arial,helvetica,sans-serif"><br></div><div><div data-smartmail="gmail_signature"><div dir="ltr">Lee Hambley<div><a href="http://lee.hambley.name/" target="_blank">http://lee.hambley.name/</a><br></div><div><a href="tel:%2B49%20%280%29%20170%20298%205667" value="+491702985667" target="_blank">+49 (0) 170 298 5667</a><br></div></div></div></div>
</div>