> From: libvir-list-bounces@xxxxxxxxxx [mailto:libvir-list-bounces@xxxxxxxxxx] > On Behalf Of Daniel P. Berrange ... > > Could containers make isolation exceptions for > > - shared storage devices? > > - shared /var/run/sync_manager/watchdog/ so that the system watchdog > > could monitor all sync_manager instances? > > Yes, resources (files) from the primary OS can be exposed in the > container on a case by case basis & potentially be visible inside > many containers. If we did a full virtual chroot setup, then the > container would only be able to see designated paths. It is also > possible to hide the containers chroot heirarchy from the host > completely. In any case, we can share paths between containers and > the host as needed. > > A process inside the container would not be able to see any processes > outside the container. Processes outside can, however, see processes > inside the container, but its view of the PIDs will be different. > eg PID 1 inside the container may be PID 2345 outside. > > The point I was trying to make, is that if the supervisor process > wants to connect back to a central lock daemon directly this might > run into trouble. If the supervisor process only needs to access > file resources on disk, it should be fine. [IH] how would Libvirt know to give security context to the leases area of the VM? it would be a different implementation per lock manager (say, I'd like to lock a row in a central remote db for this)? -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list