One of the core features of cgmanager is to easily, safely, and transparently support the cgroup requirements of container nesting. Processes can administer cgroups exactly the same way whether inside a container or not. This also makes nested lxc very easy.
To create a container in which you can use cgroups, first create a container as usual (note, do this on an Ubuntu 14.04 system, unless you have enabled all the pieces you need – which I am not covering here):
sudo lxc-create -t download -n t1 -- -d ubuntu -r trusty -a amd64
Now to bind the cgmanager socket inside the container,
echo "lxc.mount.auto = cgroup" | sudo tee -a /var/lib/lxc/t1/config
If you also want to be able to start nested containers, then you need to use an apparmor profile which allows lxc mounting:
echo "lxc.aa_profile = lxc-container-default-with-nesting" | \ sudo tee -a /var/lib/lxc/t1/config
Now, simply start the container
sudo lxc-start -n t1
You can run the cgmanager testsuite,
sudo apt-get -y install cgmanager-tests cd /usr/share/cgmanager/tests sudo ./runtests.sh
and use the cgm program to interact with cgmanager
cgm ping sudo cgm create all compile sudo cgm chown all compile 1000 1000 cgm movepid all compile $$
If you changed the aa_profile to permit nesting, then you can simply create and use containers inside the t1 container.
What I showed here is using privileged (root-owned) containers. In this case, the lxc-container-default-with-nesting profile is actually far less safe than the default profile. However, when using unprivileged containers (https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/) for at least the first layer, nesting works the exact same way, and the profile safety difference becomes moot.
