[libvirt] LXC: making the private root filesystem more secure

Balbir Singh balbir at linux.vnet.ibm.com
Wed Sep 10 22:10:53 UTC 2008

Daniel Veillard wrote:
> On Thu, Sep 04, 2008 at 12:50:35PM -0700, Dan Smith wrote:
>> DV> I just checked the libcgroup heaer file available under Fedora 9
>> DV> and I'm a bit afraid of the dependancy. They expose a lot of
>> DV> structure, some clearly incomplete, which means liking to it in its
>> DV> current state may turn into a problematic dependency.

Could you please elaborate on the structure exposed. We are more then willing to
fix any incomplete information you are concerned about

>> I've become increasingly concerned about the likelihood of converging on
>> something stable that will work for libvirt in this area.  I hate to
>> ignore an abstraction layer that may help reduce the amount of knowledge
>> of cgroups that has to be present in libvirt.  However, I'm not sure
>> that libcgroup is really going to provide such a layer, and thus would
>> (as you put it) become nothing but a problematic dependency.
>> Perhaps it makes the most sense to implement a bit of cgroup support
>> directly into libvirt to satisfy our current needs while we wait to see
>> if libcgroup matures?
>   Yes I don't want to presume the ability of the libcgroup to become
> cleaner and more stable, we can probably go with a small internal API
> and when/if things become nicer, then reuse libcgroup,

I am afraid that would be duplication of efforts and the small internal API will
need a lot of work. We already deal with having things like multiple mount
points and controllers mounted at several places and the associated complexity.
We are willing to fix problems you see, please do complain at libcg-devel.


More information about the libvir-list mailing list