Support cgroup namespaces for cgroup v1 #349
Conversation
Codecov Report
@@ Coverage Diff @@
## main #349 +/- ##
==========================================
- Coverage 70.45% 69.07% -1.39%
==========================================
Files 46 47 +1
Lines 6844 7029 +185
==========================================
+ Hits 4822 4855 +33
- Misses 2022 2174 +152 |
|
Perhaps this is a good feature. Can I ask you to open the issue about this and describe more details? |
|
#332 is the feature 😉 . In order to support cgroup mounts we can use cgroup namespaces . Once a cgroup namespace is entered, the cgroup the process is currently in will become the root of the subsystem hierarchy in the namespace. This means that the container is not able to see the parent cgroups. That is what the cgroup mount is about, an own view of the cgroup hierarchy for the container. To make this more descriptive, without a cgroup mount the container will see: With cgroup mount |
|
@Furisto Thanks! That's a great description. I understand. |
| @@ -37,6 +37,25 @@ impl Display for ControllerType { | |||
| } | |||
| } | |||
|
|
|||
| impl AsRef<str> for ControllerType { | |||
| @@ -187,11 +187,11 @@ pub fn container_init( | |||
| && ns_type != CloneFlags::CLONE_NEWPID | |||
| && ns_type != CloneFlags::CLONE_NEWNS | |||
| }) | |||
| .with_context(|| "Failed to apply namespaces")?; | |||
| .with_context(|| "failed to apply namespaces")?; | |||
| // this needs to be done before we create the init process, so that the init | ||
| // process will already be captured by the cgroup | ||
| if args.rootless.is_none() { | ||
| apply_cgroups( |
There was a problem hiding this comment.
Can I ask you to update docs/.drawio.svg using vscode-drawing.
|
@utam0k Done |
This adds support for namespacing v1 control cgroups.
Tasks still open
I will add this in another PR.