最後更新: 2022-08-18
目錄
nested containers(cgmanager)
As of Ubuntu 14.04, LXC uses the cgroup manager (cgmanager) to administer cgroups.
The cgroup manager receives D-Bus requests over the Unix socket /sys/fs/cgroup/cgmanager/sock.
container config:
lxc.aa_profile = lxc-container-default-with-nesting lxc.mount.auto = cgroup
causing the /sys/fs/cgroup/cgmanager directory to be bind-mounted into the container.
The container in turn should start the cgroup management proxy
lxc.mount.auto
lxc.mount.auto
specify which standard kernel file systems should be automatically mounted.
This may dramatically simplify the configuration.
Value
proc:mixed
mount /proc as read-write,
but remount /proc/sys and /proc/sysrq-trigger read-only for security / container isolation purposes.
sys:ro
mount /sys as read-only,
but with /sys/devices/virtual/net writable.
cgroup:mixed
Mount a tmpfs to /sys/fs/cgroup
+ create directories for all hierarchies to which the container is added,
+ create subdirectories in those hierarchies with the name of the cgroup,
and bind-mount the container's own cgroup into that directory.
+ The container will be able to write to its own cgroup directory,
but not the parents, since they will be remounted read-only.
Example
lxc.mount.auto = sys:ro proc:mixed cgroup:mixed