On 10/07/2013 09:04 PM, Daniel P. Berrange wrote: > On Mon, Oct 07, 2013 at 12:52:30PM +0300, Bogdan Purcareata wrote: >> Securityfs kernel support may not be available on all platforms >> running libvirt containers. Since securityfs receives special >> handling in the context of user namespaces, make an additional >> check to see if it is supported, by inspecting /proc/filesystems. >> >> Making this check for all lxcBasicMounts is a bit tedious, since >> the /proc filesystem is first unmounted from host, so the >> /proc/filesystems list should be saved before unmounting, to be >> available at all times. However, checks for the support for /proc >> or /sys are superfluous. > > I actually don't think it is correct to base it on /proc/filesystems. > > The intent of this code is that the container setup match the host > OS setup for these "special" filesystems. So the container should > have it mounted, if and only if, the host has it mounted. > > We had attempted todo this by using access(/the/path), but this is > flawed because a) we were looking at the wrong path (the container > path, not the host path) and b) the directory can exist even if the > FS isn't mounted. We already mount sysfs to /sys before we mount securityfs in container, so the path /sys/kernel/securityfs is right, the securityfs directory is created when we mount sysfs. I read the codes of systemd, systemd doesn't mount securityfs in container environment, so I don't know what's problem commit 6807238d87fd93dee30038bea1e8582a5f0a9fe7 trying to resolve. > > What we should have done here is to check whether the path in > question is a mount point on the host. This should automatically > do the right thing if the kernel does not have the filesystem > in question compiled, as well as if it isn't mounted in the > host. I'll copy you on a patch which tries todo that, so can you > test it with your kenrels. > >> >> In the long run, to support the addition of new filesystems in >> lxcBasicMounts, an additional "optional" flag should be introduced, >> to mark that for a specific filesystem, the code should first check >> for support in the kernel, before mounting it. For mandatory >> filesystems, if mounting them fails, creating the container fails. >> >> Right now, check for support only for securityfs, since right now >> it is the only special case. > > I'm including flags in the mount table so we can avoid this > special casing as you suggest. > > Daniel > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list