Hi all, I've been trying to get a deeper understanding of Linux cgroups and their use with containers/systemd over the last few months. I have a few questions, but given the amount of context around the questions I've written up my understanding in a blog post at https://www.lewisgaul.co.uk/blog/coding/2022/05/13/cgroups-intro/ and the questions in another blog post at https://www.lewisgaul.co.uk/blog/coding/rough/2022/05/20/cgroups-questions/.
If anyone has any thoughts/input/answers that would be much appreciated! I'm planning on cross-posting in a few places such as podman/docker/kernel mailing lists/communities, but in particular any input specific to the systemd oriented questions would be great. To summarize the questions (taken from the second post linked above): - Why are private cgroups mounted read-only in non-privileged containers? - Is it sound to override Docker’s mounting of the private container cgroups under v1? - What are the concerns around the approach of passing '-v /sys/fs/cgroup:/sys/fs/cgroup' in terms of the container’s view of its cgroups? - Is modifying/replacing the cgroup mounts set up by the container engine a reasonable workaround, or could this be fragile? - When is it valid to manually manipulate container cgroups? - Do container managers such as Docker and Podman correctly delegate cgroups on hosts running Systemd? - Are these container managers happy for the container to take ownership of the container’s cgroup? - Why are the container’s cgroup limits not set on a parent cgroup under Docker/Podman? - Why doesn’t Docker use another layer of indirection in the cgroup hierarchy such that the limit is applied in the parent cgroup to the container? - What happens if you have two of the same cgroup mount? - Are there any gotchas/concerns around manipulating cgroups via multiple mount points? - What’s the correct way to check which controllers are enabled? - What is it that determines which controllers are enabled? Is it kernel configuration applied at boot? - Is it possible to have some controllers enabled for v1 at the same time as others are enabled for v2? Thanks in advance, Lewis
