于 2012年10月23日 23:37, Daniel P. Berrange 写道:
> On Thu, Oct 18, 2012 at 01:25:30PM +0800, Gao feng wrote:
>> 于 2012年10月16日 20:23, Daniel P. Berrange 写道:
>>> On Mon, Oct 08, 2012 at 08:43:28AM +0800, Gao feng wrote:
>>>> 于 2012年09月26日 02:37, Daniel P. Berrange 写道:
>>>>> On Tue, Sep 11, 2012 at 10:54:48AM +0800, Gao feng wrote:
>>>>>> this patch addes fuse support for libvirt lxc.
>>>>>> we can use fuse filesystem to generate sysinfo dynamically,
>>>>>> So we can isolate /proc/meminfo,cpuinfo and so on through
>>>>>> fuse filesystem.
>>>>>>
>>>>>> we mount fuse filesystem for every container.the mount name
>>>>>> is Lxc-containename-fuse,mount point is
>>>>>> localstatedir/run/libvirt/lxc/containername.
>>>>>>
>>>>>> Signed-off-by: Gao feng <gaofeng@xxxxxxxxxxxxxx>
>>>>>
>>>>>> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
>>>>>> index e5aea11..c5f4951 100644
>>>>>> --- a/src/lxc/lxc_controller.c
>>>>>> +++ b/src/lxc/lxc_controller.c
>>>>>> @@ -1657,6 +1659,14 @@ int main(int argc, char *argv[])
>>>>>> }
>>>>>> }
>>>>>>
>>>>>> + rc = virThreadCreate(&thread, true, lxcRegisterFuse,
>>>>>> + (void *)ctrl->def);
>>>>>> + if (rc < 0) {
>>>>>> + virReportSystemError(-rc, "%s",
>>>>>> + _("Create Fuse filesystem failed"));
>>>>>> + goto cleanup;
>>>>>> + }
>>>>>> +
>>>>>
>>>>> This is the wrong place to start FUSE. At this point the LXC
>>>>> controller is still sharing its mount namespace with the host
>>>>> OS. This causes the FUSE mount for each container to become
>>>>> visible in the host, which is not what we want.
>>>> sorry for the delay.
>>>>
>>>> I think it's correct,because host can see container's meminfo
>>>> through cgroup too.NOW the container's cgroup can be seen and
>>>> modified in container too,I don't know why this is necessary?
>>>
>>> The key point is that if you do 'cat /proc/mounts' with your
>>> current patch, you see all the LXC container FUSE mounts. These
>>> mounts should *not* be visible on the host. Only the libvirt_lxc
>>> process and the container itself shoudl see the mounts. This is
>>> why you must not start FUSE until after the unshare() call in
>>> libvirt_lxc. This also ensures that the FUSE mount is automatically
>>> destroyed when libvirt_lxc dies, without you needing to unregister
>>> or unmount it.
>>>
>>
>> If we start FUSE after the unshare() call in libvirt_lxc,the fuse will
>> work in container's environment. and the cgroup is set in the host.
>> Can we get host's information in container? I think this is incorrect.
>
> The 'libvirt_lxc' process is not actually running inside the container.
> It is running in the host context, but with a slightly customized
> filesystem mount namespace, so that it can view /dev from both the
> host and container at once.
Yes,you are right,I will change this patchset.
There are some strange error when I start FUSE after unshare(),
So I need some time to resolve these things.
>
>> I regard the FUSE as a service on host,it provides host's cgroup info
>> for the container.
>
> Yes it is a host service, but that is exactly what libvirt_lxc is. All I
> am saying is that we must not pollute the host OS' mount table - keep the
> mounts hidden in the libvirt_lxc process & container processes only.
>
Get it,thanks for teaching me this. :)
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list