[libvirt] PATCH: Allow LXC to use private /dev/pts instance

Fri Apr 17 14:39:19 UTC 2009

Quoting Daniel P. Berrange (berrange at redhat.com):
> > Calling unshare(CLONE_NEWNS) will not prevent the host OS from
> > seeing the new /dev/pts if / was MS_SHARED.  That isn't taken
> > care of anywhere else for this process's namespace, is it?
> 
> Yeah, so this is the place where I think we must still have a difference
> in our host setups. I'm testing this patch on a Fedora 11 host, and with
> my current code, the new /dev/pts is not visible in the host.

Well I haven't tested your patch as is, was just looking at the code.
My pivot_root patch did a remount --make-slave, but I think it is only
for the container itself, whereas your patch here affects the driver
so it hasn't yet hit that remount, right?

> So I can only assume this means my host /  is *not* MS_SHARED, while

If on your F11 host you look at

	cat /proc/self/mountinfo

do the top lines show / as being shared?  (Mine does)

> yours is. I'm struggling to find out why this is different because
> I'm testing on an Fedora 11 up2date system. 

It's possible this is just something that has been changed since.

> Anyway, would it be sufficiently to add in a call
> 
>         if (mount("", "/", NULL, MS_PRIVATE|MS_REC, NULL) < 0) {
>             virReportSystemError(NULL, errno, "%s",
>                                  _("failed to make root private"));
>             goto cleanup;
>         }

Maybe the best thing to do would be:

>         if (mount("", "/", NULL, MS_SLAVE|MS_REC, NULL) < 0) {
>             virReportSystemError(NULL, errno, "%s",
>                                  _("failed to make root slave"));
>             goto cleanup;
>         }
>         if (mount("", "/", NULL, MS_SHARED|MS_REC, NULL) < 0) {
>             virReportSystemError(NULL, errno, "%s",
>                                  _("failed to make root shared"));
>             goto cleanup;
>         }

So we are making it slave (so it will receive mounts from the host
still), then shared (so the rest of the container will start out
shared).  That, or just turn it SLAVE and leave it like that.

> Just after the 'unshare' call, to make sure our / is private before
> we setup the new /dev/pts
> 
> > I assume the reason you want the new devpts not visible in the
> > host OS is so that it will be auto-umounted when the container is
> > released?
> 
> Yes, that's the primary reason, although I also just don't want anything
> accessing the container's PTYs directly from the host. I wanted them to
> remain a hidden impl detail, used only by the libvirt controller process.
> So its preferrable that this new dev/pts instance is not visible in the
> host (at least not easily).

thanks,
-serge