Hi all,
I've been trying to get a deeper understanding of Linux cgroups and their use with containers/systemd over the last few months. I have a few questions, but given the amount of context around the questions I've written up my understanding in a blog post at https://www.lewisgaul.co.uk/blog/coding/2022/05/13/cgroups-intro/ and the questions in another blog post at https://www.lewisgaul.co.uk/blog/coding/rough/2022/05/20/cgroups-questions/.
If anyone has any thoughts/input/answers that would be much appreciated! I'm planning on cross-posting in a few places such as podman/docker/kernel mailing lists/communities, but in particular any input specific to the systemd oriented questions would be great.
- Do container managers such as Docker and Podman correctly delegate cgroups on hosts running Systemd?To summarize the questions (taken from the second post linked above):
- Why are private cgroups mounted read-only in non-privileged containers?
- Is it sound to override Docker’s mounting of the private container cgroups under v1?
- Is it sound to override Docker’s mounting of the private container cgroups under v1?
- What are the concerns around the approach of passing '-v /sys/fs/cgroup:/sys/fs/cgroup' in terms of the container’s view of its cgroups?
- Is modifying/replacing the cgroup mounts set up by the container engine a reasonable workaround, or could this be fragile?- When is it valid to manually manipulate container cgroups?
- Are these container managers happy for the container to take ownership of the container’s cgroup?
- Why are the container’s cgroup limits not set on a parent cgroup under Docker/Podman? - Why doesn’t Docker use another layer of indirection in the cgroup hierarchy such that the limit is applied in the parent cgroup to the container?
- What happens if you have two of the same cgroup mount?
- Are there any gotchas/concerns around manipulating cgroups via multiple mount points?
- What’s the correct way to check which controllers are enabled?
- What is it that determines which controllers are enabled? Is it kernel configuration applied at boot?
- Is it possible to have some controllers enabled for v1 at the same time as others are enabled for v2?
Thanks in advance,
Lewis