Hi all, after having a private discussion with Serge E. Hallyn and then inspired by the posting of Matto Fransen on the thread "read only rootfs" I was able to realize an entry from my wish list, which may be useful for others, too:
To have a (read-only) access limited to "it's" branch of the cgroupfs inside a container. This might be useful to write some tool to be run inside a container in a "canonical way", i.e. with a fixed path (disregarding of the mount point prefix, which may be taken from /proc/mounts) and without knowing the name of the current container running in. You may compare it to the mechanism of user beancounters in openVZ at /proc/user_beancounters . One may e.g. write something like a replacement for 'free', which will use the values from the /cgroup/memory.*-entries to show up the "right" values. Because at the moment, the "normal" syscall used by free and others will yield the "wrong" values from the host. At the moment too, one can't mount any subtrees of the cgroupfs. But I found that this can be "emulated" by use of a bind-mount. And it can made read-only by use of the same instrument, too. From that, it turns out that the feature in discussion can be already set up without including new features into lxc. Using lxc-0.7.4.1, I just had to add a "dynamical" config option (lxc-start -s ...) to my lxc maintenance masterscript, in particular -s lxc.mount.entry="/cgroup/$CONTAINER cgroup none ro,bind 0 0" where $CONTAINER is the shell variable holding the name of the container to start. I my case, at the host i'm using a single cgroupfs holding all subsystems at /cgroup. Notice, that with 0.7.4.1 the destination mount point -- it will also be /cgroup with respect to the container's rootfs -- have to be relative. After booting the container, you'll find it's cgroup subtree mounted read-only at /cgroup. with greetings Guido ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users