16 янв. 2016 г. 9:51 PM пользователь Cyrill Gorcunov <gorcu...@virtuozzo.com> написал: > > On Sat, Jan 16, 2016 at 09:32:39PM +0100, Stanislav Kinsburskiу wrote: > > Hi, > > > > What it's the reason behind this proposal? > > 1) Fix the restore problem introduced with your commit
Could you elaborate a bit on the problem? > 2) Performance or uncontrollable mount of cgroups from > inside of container is _really_ a huge problem affecting > the node. Until there is a strong reason to allow mounting > we should disable it. > It sounds like forbidding of cgroups is a way to protectagains "cgroups bomb". Is it? > > The only thing you mentioned and which used not fixed is perfomance issues. > > If so, then it's not a sufficient reason from my POW, because we are > > loosing generic functionality. > > I suspect, that the are programs, which use cgroups for their internal > > needs. > > What will we do with them, if cgroup mounts are forbidden? > > I don't know ones which require own mounting. iirc docker was able to > work if cgroups mounting is disabled and all cgroups are already > preconfigured (but this should be double checked). Note that we're > talking about _mounting_, because you still can create new cgroups > nested. Yeah, probably not so many programs does so. But forbidding such functionality in a container looks very aggressive for me. _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel