Just one more thing. On Tue, Nov 06, 2012 at 09:38:23AM -0800, Tejun Heo wrote: > Hello, > > On Tue, Nov 06, 2012 at 11:31:04AM -0600, Serge Hallyn wrote: > > We can't generally require a capability to move tasks between cgroups, > > as that will break currently intended uses. I can create two cgroups, > > chown them to serge, and let serge move between them. > > Sure, then just live with the cgroupfs based permission check. What > next? Should we add CAP_SYS_RESOURCE check to all resource related > controllers? Moreover, We're headed to unified hierarchy, so in the > end that means only the user with almost all CAP_* can manipulate > cgroups at all making the whole thing meaningless. As for using cgroup as !root user, I would advise not doing that. Again, we're moving toward a unified cgroup hierarchy. You wouldn't be creating multiple cgroup hierarchies and assigning different user accesses to them. Also, I would strongly discourage chowning sub directories in cgroupfs and letting non-priviledged users modify them directly. Thanks. -- tejun _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers
