On 06/21/2018 05:20 PM, Peter Zijlstra wrote: > On Thu, Jun 21, 2018 at 03:58:06PM +0800, Waiman Long wrote: > >> As for the inconsistency between the real root and the container root, >> this is true for almost all the controllers. So it is a generic problem. >> One possible solution is to create a kind a pseudo root cgroup for the >> container that looks and feels like a real root. But is there really a >> need to do that? > I don't really know. I thought the idea was to make containers > indistinguishable from a real system. Now I know we're really rather far > away from that in reality, and I really have no clue how important all > that is. That will certainly be the ideal. > It all depends on how exactly this works; is it like I assumed, that > this file is owned by the parent instead of the current directory? And > that if you namespace this, you have an effective read-only file? Yes, that is right. > Then fixing the inconsistency is trivial; simply provide a read-only > file for the actual root cgroup too. > > And if the solution is trivial, I don't see a good reason not to do it. Do you mean providing a flag like READONLY_AT_ROOT so that it will be read-only at the real root? That is an cgroup architectural decision that needs input from Tejun. Anyway, this issue is not specific to this patchset and I would like to break it out as a separate discussion independent of this patchset. Cheers, Longman -- To unsubscribe from this list: send the line "unsubscribe cgroups" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
