Post by kemi Post by Fajar A. Nugraha Post by kemi Post by Fajar A. Nugraha
g) and h) read files from /proc, not cgroup. You need lxcfs. You
Post by Fajar A. Nugraha Post by kemi Post by Fajar A. Nugraha
already have that on ubuntu though.
/proc/cpuinfo also matches the expected result.
However, it seems that sysfs in container still shares with host /sys file system.
Correct. See https://linuxcontainers.org/lxcfs/introduction/
OK, then I have a question on scalability and security issues on running
Background: Our customers hope to run hundreds or even thousands of
containers in their production environment.
a) security issue.
If a malicious program in a container changes a sensitive file in /sys,
e.g. reduce CPU frequency, does it really works? Does it affect other running containers?
Why don't you try it and see :)
Even privileged container should get something like this
# echo 1000000 > /sys/devices/system/cpu/cpufreq/policy1/scaling_min_freq
-su: /sys/devices/system/cpu/cpufreq/policy1/scaling_min_freq: Read-only
There were some known security issues with /sys in the past (not cpufreq
though), but even back then it should be non issue for the default lxd
containers, which are unprivileged.
b) Scalability issue.
Post by kemi
E.g. During launching a ubuntu OS(not kernel) or Android OS in a
container,it usually use udev/ueventd
to manage their device. This device manager daemon will read or write
uevent file in /sys, the kernel
then broadcast a uevent to all the listeners(udev daemon) via netlink, if
there are already hundreds
of containers in the system, all of udev daemons need to deal with it, it
would lead to a long boot
latency which we have observed in docker.
LXD containers don't use udev.
Post by kemi
Anyway to fix that?
Try it, and if you find anything wrong, ask.