On Mon, Dec 23, 2019 at 07:15:03AM +0100, Christian Brauner <christian.brauner@ubuntu.com> wrote:
> This adds support for creating a process in a different cgroup than its
> parent.
Binding fork and migration together looks useful.

> --- a/kernel/cgroup/cgroup.c
> +++ b/kernel/cgroup/cgroup.c
> @@ -5882,21 +5882,176 @@ void cgroup_fork(struct task_struct *child)
>  	INIT_LIST_HEAD(&child->cg_list);
Just a nitpick, I noticed the comment for cgroup_fork should be updated
too (generic migration happens in cgroup_post_fork).

> --- a/kernel/fork.c
> +++ b/kernel/fork.c
> [...]
> @@ -2279,8 +2278,7 @@ static __latent_entropy struct task_struct *copy_process(
>  	write_unlock_irq(&tasklist_lock);
>  
>  	proc_fork_connector(p);
> -	cgroup_post_fork(p);
> -	cgroup_threadgroup_change_end(current);
> +	cgroup_post_fork(current, p, args);
I can see that when CLONE_INTO_CGROUP | CLONE_NEWCGROUP is passed, then
the child's cgroup NS will be rooted at parent's css set
(copy_namespaces precedes cgroup_post_fork).

Wouldn't it make better sense if this flags combination resulted in
child's NS rooted in its css set?

Michal