Hi Serge, >> I could get behind the following: >> >> proc - always read-write (no harm AFAICT) >> sys - default: read-only >> sys:rw - read-write >> sys:ro - explicit read-only >> cgroup:ro - completely ro (including paths) >> cgroup:rw - completely rw (including paths) > > That sounds good. > >> cgroup:mixed - paths ro, other rw > > what is 'paths' vs. 'other' here? There's > > /sys/fs/cgroup > > itself, > > /sys/fs/cgroup/$subsys > > then the paths up to the container's own path, and then > there's the stuff under the container's own path. I'm not > clear on which you're calling what.
What I meant is that mixed is the current staging behaviour, i.e. - /sys/fs/cgroup: tmpfs, ro after setup - /sys/fs/cgroup/$subsys/$container_cgroup: bind-mount, rw So that /sys/fs/cgroup is r/o, /sys/fs/cgroup/$subsys is r/o, /sys/fs/cgroup/$subsys/$parent_of_container_cgroup is r/o but /sys/fs/cgroup/$subsys/$container_cgroup is r/w. >> cgroup-full:ro - mount complete tree read-only (not just partial) >> cgroup-full:rw - mount complete tree read-write (not just partial) >> cgroup-full:mixed - mount complete tree read-only but bind-mount >> partial tree read-write >> cgroup-full - defaults to cgroup-full: mixed > > Hm, but you're doing the full tree by default. What is the difference > between this and cgroup:ro? cgroup-full:mixed would be: - /sys/fs/cgroup: tmpfs, ro - /sys/fs/cgroup/$subsys bind-mount, ro - /sys/fs/cgroup/$subsys/$container_cgroup bind-mount, rw That has the advantage that /sys/fs/cgroup/$subsys is actually a cgroup filesystem (even though it's read-only), which may improve compatibility compared to the current behavior, but the disadvantage that the names of all cgroups of the host (including those in other containers) leak into the container (even though the container can't really do anything with them, if it doesn't have mount permissions). cgroup-full:rw would just mount everything into /sys/fs/cgroup as it should be according to the standard and make everything read-write. cgroup-full:ro would do the same as cgroup-full:rw but read-only. It then depends on the policy of the administrator and the compatibility level of software that is to be run in the container what option should be chosen. Would you agree? -- Christian ------------------------------------------------------------------------------ How ServiceNow helps IT people transform IT departments: 1. Consolidate legacy IT systems to a single system of record for IT 2. Standardize and globalize service processes across IT 3. Implement zero-touch automation to replace manual, redundant tasks http://pubads.g.doubleclick.net/gampad/clk?id=51271111&iu=/4140/ostg.clktrk _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
