于 2012年10月16日 20:23, Daniel P. Berrange 写道: > On Mon, Oct 08, 2012 at 08:43:28AM +0800, Gao feng wrote: >> 于 2012年09月26日 02:37, Daniel P. Berrange 写道: >>> On Tue, Sep 11, 2012 at 10:54:48AM +0800, Gao feng wrote: >>>> this patch addes fuse support for libvirt lxc. >>>> we can use fuse filesystem to generate sysinfo dynamically, >>>> So we can isolate /proc/meminfo,cpuinfo and so on through >>>> fuse filesystem. >>>> >>>> we mount fuse filesystem for every container.the mount name >>>> is Lxc-containename-fuse,mount point is >>>> localstatedir/run/libvirt/lxc/containername. >>>> >>>> Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx> >>> >>>> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c >>>> index e5aea11..c5f4951 100644 >>>> --- a/src/lxc/lxc_controller.c >>>> +++ b/src/lxc/lxc_controller.c >>>> @@ -1657,6 +1659,14 @@ int main(int argc, char *argv[]) >>>> } >>>> } >>>> >>>> + rc = virThreadCreate(&thread, true, lxcRegisterFuse, >>>> + (void *)ctrl->def); >>>> + if (rc < 0) { >>>> + virReportSystemError(-rc, "%s", >>>> + _("Create Fuse filesystem failed")); >>>> + goto cleanup; >>>> + } >>>> + >>> >>> This is the wrong place to start FUSE. At this point the LXC >>> controller is still sharing its mount namespace with the host >>> OS. This causes the FUSE mount for each container to become >>> visible in the host, which is not what we want. >> sorry for the delay. >> >> I think it's correct,because host can see container's meminfo >> through cgroup too.NOW the container's cgroup can be seen and >> modified in container too,I don't know why this is necessary? > > The key point is that if you do 'cat /proc/mounts' with your > current patch, you see all the LXC container FUSE mounts. These > mounts should *not* be visible on the host. Only the libvirt_lxc > process and the container itself shoudl see the mounts. This is > why you must not start FUSE until after the unshare() call in > libvirt_lxc. This also ensures that the FUSE mount is automatically > destroyed when libvirt_lxc dies, without you needing to unregister > or unmount it. > If we start FUSE after the unshare() call in libvirt_lxc,the fuse will work in container's environment. and the cgroup is set in the host. Can we get host's information in container? I think this is incorrect. I regard the FUSE as a service on host,it provides host's cgroup info for the container. I am wrong? Thanks Gao >> >>> >>> We must only start FUSE, after, we have done the unshare() >>> call while setting up /dev/pts. > > Daniel > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list