[libvirt] This patch mounts /run and /var/run before running a sandbox container

Mon Jun 25 09:48:06 UTC 2012

On Fri, Jun 22, 2012 at 09:56:39AM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> We do not want to share /run between containers and the host.  This patch
> mounts a tmpfs on /run and then bind mounts /run on /var/run.
> 
> Reason this is pach 0003 is that this is a part of a previous patch set that
> was never applied.
> 
> Sorry to those who are receiving this patch for the second time, as I sent it
> first to the wrong list.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk/keZcACgkQrlYvE4MpobNnagCgyHc9igEYxPT/Bblf1XVPkwMX
> EM0Anj9xzzf9k88He1gkoXKBEAija52U
> =4Uny
> -----END PGP SIGNATURE-----

> >From c04fc4f506644d6621654f16198f5cefaa3ef7a1 Mon Sep 17 00:00:00 2001
> From: Dan Walsh <dwalsh at redhat.com>
> Date: Tue, 12 Jun 2012 12:08:16 -0400
> Subject: [PATCH 03/10] Must mount /run before the lxc container starts
> 
> ---
>  configure.ac                    |    2 +-
>  src/lxc/lxc_container.c         |   17 +++++++++++++++++
>  src/security/security_selinux.c |    1 +
>  3 files changed, 19 insertions(+), 1 deletion(-)
> 
> diff --git a/src/lxc/lxc_container.c b/src/lxc/lxc_container.c
> index a1714c0..7a598e2 100644
> --- a/src/lxc/lxc_container.c
> +++ b/src/lxc/lxc_container.c
> @@ -508,6 +508,23 @@ static int lxcContainerMountBasicFS(virDomainDefPtr def,
>                                   "devfs", "/dev", "tmpfs");
>              goto cleanup;
>          }
> +
> +        VIR_DEBUG("Mount tmpfs on /run type=tmpfs flags=%x, opts=%s",
> +                  MS_NOSUID, opts);
> +        if (mount("tmpfs", "/run", "tmpfs", MS_NOSUID | MS_NODEV , opts) < 0) {
> +            virReportSystemError(errno,
> +                                 _("Failed to mount %s on %s type %s"),
> +                                 "tmpfs", "/run", "tmpfs");
> +            goto cleanup;
> +        }
> +
> +        VIR_DEBUG("Mount /run on /var/run type=bind");
> +        if (mount("/run", "/var/run", "run", MS_BIND , NULL) < 0) {
> +            virReportSystemError(errno,
> +                                 _("Failed to mount %s on %s"),
> +                                 "/run", "/var/run");
> +            goto cleanup;
> +        }

Unfortunately, I realized now that we can't include such a patch. While
we clearly need a custom /run if we're to invoke systemd inside the
container, this is not the only use case for LXC. For other use cases,
it will be desirable to have the host's /run still visible.

I have pushed two paches to add support in libvirt XML for tmpfs and
bind mounts, and have code to replicate this behaviour using the
virt-sandbox-service code instead.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|