Stéphane Graber [2015-01-25 17:15 -0000]:
> How are we supposed to run a systemd container on such a system then?
>
> systemd in a container will need to create sub-entries in the
> name=systemd controller.
Yes, that works fine, as the cgroup *directories* are owned by the
user. I just don't want to make the cgroup.procs and task files owned
by the user, as that would allow the user to modify that "session
root" cgroup and move PIDs between host sessions. What user containers
do in sub-groups of the host's "session-XX.cgroup" is up to them, and
of course the user on the host can meddle with them from the outside.
Stéphane Graber [2015-01-25 17:15 -0000]:
> How are we supposed to run a systemd container on such a system then?
>
> systemd in a container will need to create sub-entries in the
> name=systemd controller.
Yes, that works fine, as the cgroup *directories* are owned by the
user. I just don't want to make the cgroup.procs and task files owned
by the user, as that would allow the user to modify that "session
root" cgroup and move PIDs between host sessions. What user containers
do in sub-groups of the host's "session-XX.cgroup" is up to them, and
of course the user on the host can meddle with them from the outside.