> The ns cgroup is really only good for preventing root in a container > from escaping its cgroup-imposed limits. The same can be done today > using smack or selinux, and eventually will be possible using user > namespaces. Would anyone object to removing ns_cgroup? > I vote for removing it. :) > It won't just remove kernel/ns_cgroup.c, but some subtle code in > fork.c, nsproxy.c, and of course cgroup.c as well. > Yeah, regarding to cgroup, cgroup_clone() and cgroup_is_descendant() can be removed. cgroup_clone() is somewhat ugly I think. > There admittedly is minute convenience gain in not having to > manually create a new cgroup and attach a cloned child to it, but > that wasn't the intent of the cgroup. > _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
