[libvirt] [RFC] [PATCH v3 2/6] add fuse support for libvirt lxc

Daniel P. Berrange berrange at redhat.com
Tue Oct 16 12:23:58 UTC 2012 

On Mon, Oct 08, 2012 at 08:43:28AM +0800, Gao feng wrote:
> 于 2012年09月26日 02:37, Daniel P. Berrange 写道:
> > On Tue, Sep 11, 2012 at 10:54:48AM +0800, Gao feng wrote:
> >> this patch addes fuse support for libvirt lxc.
> >> we can use fuse filesystem to generate sysinfo dynamically,
> >> So we can isolate /proc/meminfo,cpuinfo and so on through
> >> fuse filesystem.
> >>
> >> we mount fuse filesystem for every container.the mount name
> >> is Lxc-containename-fuse,mount point is
> >> localstatedir/run/libvirt/lxc/containername.
> >>
> >> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
> > 
> >> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
> >> index e5aea11..c5f4951 100644
> >> --- a/src/lxc/lxc_controller.c
> >> +++ b/src/lxc/lxc_controller.c
> >> @@ -1657,6 +1659,14 @@ int main(int argc, char *argv[])
> >>          }
> >>      }
> >>  
> >> +    rc = virThreadCreate(&thread, true, lxcRegisterFuse,
> >> +                         (void *)ctrl->def);
> >> +    if (rc < 0) {
> >> +        virReportSystemError(-rc, "%s",
> >> +                             _("Create Fuse filesystem failed"));
> >> +        goto cleanup;
> >> +    }
> >> +
> > 
> > This is the wrong place to start FUSE. At this point the LXC
> > controller is still sharing its mount namespace with the host
> > OS. This causes the FUSE mount for each container to become
> > visible in the host, which is not what we want.
> sorry for the delay.
> 
> I think it's correct,because host can see container's meminfo
> through cgroup too.NOW the container's cgroup can be seen and
> modified in container too,I don't know why this is necessary?

The key point is that if you do 'cat /proc/mounts' with your
current patch, you see all the LXC container FUSE mounts. These
mounts should *not* be visible on the host. Only the libvirt_lxc
process and the container itself shoudl see the mounts. This is
why you must not start FUSE until after the unshare() call in
libvirt_lxc. This also ensures that the FUSE mount is automatically
destroyed when libvirt_lxc dies, without you needing to unregister
or unmount it.

> 
> > 
> > We must only start FUSE, after, we have done the unshare()
> > call while setting up /dev/pts.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

More information about the libvir-list mailing list