[libvirt] [PATCH] LXC: Improved check before mounting securityfs

Gao feng gaofeng at cn.fujitsu.com
Tue Oct 8 01:57:43 UTC 2013


On 10/07/2013 09:04 PM, Daniel P. Berrange wrote:
> On Mon, Oct 07, 2013 at 12:52:30PM +0300, Bogdan Purcareata wrote:
>> Securityfs kernel support may not be available on all platforms
>> running libvirt containers. Since securityfs receives special
>> handling in the context of user namespaces, make an additional
>> check to see if it is supported, by inspecting /proc/filesystems.
>>
>> Making this check for all lxcBasicMounts is a bit tedious, since
>> the /proc filesystem is first unmounted from host, so the
>> /proc/filesystems list should be saved before unmounting, to be
>> available at all times. However, checks for the support for /proc
>> or /sys are superfluous.
> 
> I actually don't think it is correct to base it on /proc/filesystems.
> 
> The intent of this code is that the container setup match the host
> OS setup for these "special" filesystems. So the container should
> have it mounted, if and only if, the host has it mounted.
> 
> We had attempted todo this by using access(/the/path), but this is
> flawed because a) we were looking at the wrong path (the container
> path, not the host path) and b) the directory can exist even if the
> FS isn't mounted.

We already mount sysfs to /sys before we mount securityfs in container,
so the path /sys/kernel/securityfs is right, the securityfs directory
is created when we mount sysfs.

I read the codes of systemd, systemd doesn't mount securityfs in container
environment, so I don't know what's problem commit 6807238d87fd93dee30038bea1e8582a5f0a9fe7
trying to resolve.

> 
> What we should have done here is to check whether the path in
> question is a mount point on the host. This should automatically
> do the right thing if the kernel does not have the filesystem
> in question compiled, as well as if it isn't mounted in the
> host. I'll copy you on a patch which tries todo that, so can you
> test it with your kenrels.
> 
>>
>> In the long run, to support the addition of new filesystems in
>> lxcBasicMounts, an additional "optional" flag should be introduced,
>> to mark that for a specific filesystem, the code should first check
>> for support in the kernel, before mounting it. For mandatory
>> filesystems, if mounting them fails, creating the container fails.
>>
>> Right now, check for support only for securityfs, since right now
>> it is the only special case.
> 
> I'm including flags in the mount table so we can avoid this
> special casing as you suggest.
> 
> Daniel
> 




More information about the libvir-list mailing list