b441dfa729
We make a tmpfs on /sys/fs/cgroups, and here we mount read-only versions of all the host cgroups. Additionally we make symlinks for all merged subsystems. For any "named" cgroup, such as "name=systemd" we also mount the subset of the cgroup where the container lives as read-write. This means that the container can create sub-cgroups inside the container and move tasks into those, but it can never escape from its current position in the cgroup hierarchy. In particular, this allows systemd to mostly work in a non-privileged container. The only problem currently is that PrivateTmp=true fails because systemd is not allowed to mount a new /tmp. Docker-DCO-1.1-Signed-off-by: Alexander Larsson <alexl@redhat.com> (github: alexlarsson) |
||
|---|---|---|
| .. | ||
| nodes | ||
| init.go | ||
| msmoveroot.go | ||
| pivotroot.go | ||
| ptmx.go | ||
| readonly.go | ||
| remount.go | ||