> On Nov. 1, 2016, 4:43 a.m., Jie Yu wrote: > > src/slave/containerizer/mesos/isolators/namespaces/cgroup.hpp, line 28 > > <https://reviews.apache.org/r/53296/diff/2/?file=1548952#file1548952line28> > > > > Instead of creating a new namespace/cgroup isolator, I would suggest we > > add the support to cgroups isolator. It looks weird to me to have a > > namespace/cgroup isolator without using the cgroups isolator. > > haosdent huang wrote: > I think it still possible to use `namespaces/cgroup` isolator without > `cgroups` isolation? If user only want to isolate the host cgroups > environment from the container. > > Jie Yu wrote: > What's the use case for that? I feel that it will be strange to enable > cgroup namespace if containers still share the same cgroup. There will be no > isolation if two containers try to manipulate the cgroups. That defeats the > purpose of using cgroup namespace. > > haosdent huang wrote: > For example, we launch docker daemon in the host, which would use > `/sys/fs/cgroup/xx/subsystem_name` as the hierarchies. > Then we want hide this in the containers launched by Mesos. In this case, > we only need `namespace/cgroup` isolator without cgroups isolation. > > Jie Yu wrote: > If you don't enable cgroups isolator, all container's process will be in > root cgroup. IIUC, even the new container is put into a new cgroup namespace, > it can still see docker's cgroups, no? > > haosdent huang wrote: > >all container's process will be in root cgroup > > Yes > > >it can still see docker's cgroups, no > > Could not. Refer to https://reviews.apache.org/r/53517/, we could a > cgroup in the host namesapce, but it invisible in the containers.
systemd would let the containers use user.slice as the default cgroup root in that case. - haosdent ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/53296/#review154371 ----------------------------------------------------------- On Nov. 6, 2016, 12:47 p.m., haosdent huang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/53296/ > ----------------------------------------------------------- > > (Updated Nov. 6, 2016, 12:47 p.m.) > > > Review request for mesos, Jie Yu, Qian Zhang, and Jiang Yan Xu. > > > Bugs: MESOS-5410 > https://issues.apache.org/jira/browse/MESOS-5410 > > > Repository: mesos > > > Description > ------- > > Added cgroup namespace support for unified container. > > > Diffs > ----- > > src/CMakeLists.txt aef9ae6d2872dc15725c01ce85b657965485605f > src/Makefile.am 5a47c93388234a68c3c486a021ccdbe3213c5bac > src/slave/containerizer/mesos/containerizer.cpp > 67cc595278f124cdf518d2f4fcfb257439f067e2 > src/slave/containerizer/mesos/isolators/namespaces/cgroup.hpp PRE-CREATION > src/slave/containerizer/mesos/isolators/namespaces/cgroup.cpp PRE-CREATION > > Diff: https://reviews.apache.org/r/53296/diff/ > > > Testing > ------- > > The test case is on the way. > > > Thanks, > > haosdent huang > >
