[Lxc-users] How to get a "local view" of the cgroupfs inside a container

Tue, 05 Jul 2011 09:27:36 -0700 

Hi all,

after having a private discussion with  Serge E. Hallyn  and then inspired by 
the posting of  Matto Fransen  on the thread  "read only rootfs"  I was able to 
realize an entry from my wish list, which may be useful for others, too: 

        To have a (read-only) access limited to "it's" branch of the cgroupfs 
inside a container.


This might be useful to write some tool to be run inside a container in a 
"canonical way", i.e. with a fixed path (disregarding of the mount point 
prefix, which may be taken from /proc/mounts) and without knowing the name of 
the current container running in.  You may compare it to the mechanism of user 
beancounters in openVZ at  /proc/user_beancounters .

One may e.g. write something like a replacement for 'free', which will use the 
values from the /cgroup/memory.*-entries to show up the "right" values. Because 
at the moment, the "normal" syscall used by free and others will yield the 
"wrong" values from the host.


At the moment too, one can't mount any subtrees of the cgroupfs. But I found 
that this can be "emulated" by use of a bind-mount. And it can made read-only 
by use of the same instrument, too. From that, it turns out that the feature in 
discussion can be already set up without including new features into lxc.

Using lxc-0.7.4.1, I just had to add a "dynamical" config option (lxc-start -s 
...) to my lxc maintenance masterscript, in particular

        -s lxc.mount.entry="/cgroup/$CONTAINER  cgroup  none  ro,bind  0 0"

where  $CONTAINER  is the shell variable holding the name of the container to 
start. I my case, at the host i'm using a single cgroupfs holding all 
subsystems at /cgroup. Notice, that with 0.7.4.1 the destination mount point -- 
it will also be /cgroup with respect to the container's rootfs -- have to be 
relative.

After booting the container, you'll find it's cgroup subtree mounted read-only 
at /cgroup.


with greetings


Guido

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Lxc-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/lxc-users

Reply via email to