Hello, On Mon, Jan 14, 2019 at 10:14:32AM +0100, Ondrej Mosnacek wrote: > I'm not sure what are the exact needs of the container people, but > IIUC the goal is to make it possible to have a subtree labeled with a > specific label (that gets inherited by newly created cgroups in that > subtree by default) so that container processes do not need to be > given permissions for the whole cgroupfs tree. > > I'm cc'ing Dan Walsh, who should be able to explain the use cases in > more details. Dan, this is related to the cgroupfs labeling problem > ([1] and [2]). See [3] for the root of this discussion. Let's wait for Dan to respond but I'm pretty skeptical that this is a good direction. Thanks. -- tejun
