[libvirt] [RFC] [PATCH v3 2/6] add fuse support for libvirt lxc

Gao feng gaofeng at cn.fujitsu.com
Thu Oct 18 05:25:30 UTC 2012 

于 2012年10月16日 20:23, Daniel P. Berrange 写道:
> On Mon, Oct 08, 2012 at 08:43:28AM +0800, Gao feng wrote:
>> 于 2012年09月26日 02:37, Daniel P. Berrange 写道:
>>> On Tue, Sep 11, 2012 at 10:54:48AM +0800, Gao feng wrote:
>>>> this patch addes fuse support for libvirt lxc.
>>>> we can use fuse filesystem to generate sysinfo dynamically,
>>>> So we can isolate /proc/meminfo,cpuinfo and so on through
>>>> fuse filesystem.
>>>>
>>>> we mount fuse filesystem for every container.the mount name
>>>> is Lxc-containename-fuse,mount point is
>>>> localstatedir/run/libvirt/lxc/containername.
>>>>
>>>> Signed-off-by: Gao feng <gaofeng at cn.fujitsu.com>
>>>
>>>> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
>>>> index e5aea11..c5f4951 100644
>>>> --- a/src/lxc/lxc_controller.c
>>>> +++ b/src/lxc/lxc_controller.c
>>>> @@ -1657,6 +1659,14 @@ int main(int argc, char *argv[])
>>>>          }
>>>>      }
>>>>  
>>>> +    rc = virThreadCreate(&thread, true, lxcRegisterFuse,
>>>> +                         (void *)ctrl->def);
>>>> +    if (rc < 0) {
>>>> +        virReportSystemError(-rc, "%s",
>>>> +                             _("Create Fuse filesystem failed"));
>>>> +        goto cleanup;
>>>> +    }
>>>> +
>>>
>>> This is the wrong place to start FUSE. At this point the LXC
>>> controller is still sharing its mount namespace with the host
>>> OS. This causes the FUSE mount for each container to become
>>> visible in the host, which is not what we want.
>> sorry for the delay.
>>
>> I think it's correct,because host can see container's meminfo
>> through cgroup too.NOW the container's cgroup can be seen and
>> modified in container too,I don't know why this is necessary?
> 
> The key point is that if you do 'cat /proc/mounts' with your
> current patch, you see all the LXC container FUSE mounts. These
> mounts should *not* be visible on the host. Only the libvirt_lxc
> process and the container itself shoudl see the mounts. This is
> why you must not start FUSE until after the unshare() call in
> libvirt_lxc. This also ensures that the FUSE mount is automatically
> destroyed when libvirt_lxc dies, without you needing to unregister
> or unmount it.
> 

If we start FUSE after the unshare() call in libvirt_lxc,the fuse will
work in container's environment. and the cgroup is set in the host.
Can we get host's information in container? I think this is incorrect.

I regard the FUSE as a service on host,it provides host's cgroup info
for the container.

I am wrong?

Thanks
Gao

>>
>>>
>>> We must only start FUSE, after, we have done the unshare()
>>> call while setting up /dev/pts.
> 
> Daniel
>

More information about the libvir-list mailing list