Re: [PATCH 0/5] RFC: CGroup Namespaces

(off-list ancestor, not in this archive)
[PATCH 0/5] RFC: CGroup Namespaces · Aditya Kali <hidden> · 2014-07-17
[PATCH 2/5] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace · Aditya Kali <hidden> · 2014-07-17
Re: [PATCH 2/5] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace · Serge Hallyn <hidden> · 2014-07-24
Re: [PATCH 2/5] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace · Aditya Kali <hidden> · 2014-07-31
Re: [PATCH 2/5] sched: new clone flag CLONE_NEWCGROUP for cgroup namespace · Serge Hallyn <hidden> · 2014-08-04
[PATCH 1/5] kernfs: Add API to get generate relative kernfs path · Aditya Kali <hidden> · 2014-07-17
Re: [PATCH 1/5] kernfs: Add API to get generate relative kernfs path · Serge Hallyn <hidden> · 2014-07-24
[PATCH 3/5] cgroup: add function to get task's cgroup on default hierarchy · Aditya Kali <hidden> · 2014-07-17
Re: [PATCH 3/5] cgroup: add function to get task's cgroup on default hierarchy · Serge Hallyn <hidden> · 2014-07-24
[PATCH 4/5] cgroup: export cgroup_get() and cgroup_put() · Aditya Kali <hidden> · 2014-07-17
Re: [PATCH 4/5] cgroup: export cgroup_get() and cgroup_put() · Serge Hallyn <hidden> · 2014-07-24
[PATCH 5/5] cgroup: introduce cgroup namespaces · Aditya Kali <hidden> · 2014-07-17
Re: [PATCH 5/5] cgroup: introduce cgroup namespaces · Andy Lutomirski <luto@amacapital.net> · 2014-07-17
Re: [PATCH 5/5] cgroup: introduce cgroup namespaces · Aditya Kali <hidden> · 2014-07-17
Re: [PATCH 5/5] cgroup: introduce cgroup namespaces · Andy Lutomirski <luto@amacapital.net> · 2014-07-18
Re: [PATCH 5/5] cgroup: introduce cgroup namespaces · Aditya Kali <hidden> · 2014-07-18
Re: [PATCH 5/5] cgroup: introduce cgroup namespaces · Andy Lutomirski <luto@amacapital.net> · 2014-07-18
Re: [PATCH 5/5] cgroup: introduce cgroup namespaces · Aditya Kali <hidden> · 2014-07-21
Re: [PATCH 5/5] cgroup: introduce cgroup namespaces · Andy Lutomirski <luto@amacapital.net> · 2014-07-21
Re: [PATCH 5/5] cgroup: introduce cgroup namespaces · Aditya Kali <hidden> · 2014-07-23
Re: [PATCH 0/5] RFC: CGroup Namespaces · Serge Hallyn <hidden> · 2014-07-18
Re: [PATCH 0/5] RFC: CGroup Namespaces · Serge Hallyn <hidden> · 2014-07-24
Re: [PATCH 0/5] RFC: CGroup Namespaces · Serge Hallyn <hidden> · 2014-07-24
Re: [PATCH 0/5] RFC: CGroup Namespaces · Aditya Kali <hidden> · 2014-07-25
Re: [PATCH 0/5] RFC: CGroup Namespaces · Andy Lutomirski <luto@amacapital.net> · 2014-07-25
Re: [PATCH 0/5] RFC: CGroup Namespaces · "Serge E. Hallyn" <serge@hallyn.com> · 2014-07-29
Re: [PATCH 0/5] RFC: CGroup Namespaces · Andy Lutomirski <luto@amacapital.net> · 2014-07-29
Re: [PATCH 0/5] RFC: CGroup Namespaces · "Serge E. Hallyn" <serge@hallyn.com> · 2014-07-29

From: Serge Hallyn <hidden>
Date: 2014-07-18 16:00:27
Also in: cgroups, lkml

Quoting Aditya Kali (adityakali-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org):

Background
  Cgroups and Namespaces are used together to create “virtual”
  containers that isolates the host environment from the processes
  running in container. But since cgroups themselves are not
  “virtualized”, the task is always able to see global cgroups view
  through cgroupfs mount and via /proc/self/cgroup file.

  $ cat /proc/self/cgroup 
  0:cpuset,cpu,cpuacct,memory,devices,freezer,hugetlb:/batchjobs/c_job_id1

  This exposure of cgroup names to the processes running inside a
  container results in some problems:
  (1) The container names are typically host-container-management-agent
      (systemd, docker/libcontainer, etc.) data and leaking its name (or
      leaking the hierarchy) reveals too much information about the host
      system.
  (2) It makes the container migration across machines (CRIU) more
      difficult as the container names need to be unique across the
      machines in the migration domain.
  (3) It makes it difficult to run container management tools (like
      docker/libcontainer, lmctfy, etc.) within virtual containers
      without adding dependency on some state/agent present outside the
      container.

  Note that the feature proposed here is completely different than the
  “ns cgroup” feature which existed in the linux kernel until recently.
  The ns cgroup also attempted to connect cgroups and namespaces by
  creating a new cgroup every time a new namespace was created. It did
  not solve any of the above mentioned problems and was later dropped
  from the kernel.

Introducing CGroup Namespaces
  With unified cgroup hierarchy
  (Documentation/cgroups/unified-hierarchy.txt), the containers can now
  have a much more coherent cgroup view and its easy to associate a
  container with a single cgroup. This also allows us to virtualize the
  cgroup view for tasks inside the container.

Hi,

So right now we basically do this in userspace using cgmanager.  Each
container/chroot/whatever that has a cgproxy is 'locked' under that
proxy's cgroup.  So if root in a container asks the cgproxy for the
cgroup of pid 2000, and cgproxy is in /lxc/u1 while pid 2000 in the
container is in /lxc/u1/service1, then the response will be '/service1'.
Same happens with creating cgroups, moving pids into cgroups, etc.

(Hoping to take a close look at this set early next week)

-serge

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help