On Mon, Jun 10, 2013 at 01:58:29PM +0800, Gao feng wrote: > On 06/10/2013 01:41 PM, pr.G wrote: > > On Mon, Jun 10, 2013 at 09:29:32AM +0400, свящ. Георгий Гольцов wrote: > >> On Mon, Jun 10, 2013 at 09:07:08AM +0800, Gao feng wrote: > >>> On 06/09/2013 08:14 PM, pr.G wrote: > >>>> Hello. > >>>> > >>>> Is it possible to start container via libvirt_lxc without mounting /sys > >>>> inside container? > >>>> > >>>> When I start container via lxc-start and do not add mount point to config, > >>>> then /sys inside container is empty. > >>>> > >>>> When I do it via virsh -c lxc:// container.xml, then > >>>> /sys contains sysfs of the host and /sys on host becomes remounting read-only. > >>> > >>> how can it be true? Can you post your /proc/mounts on host and container? > >>> > >>>> > >>>> Am I doing something wrong or is this feature of libvirt_lxc? > >>>> > >>> > >>> Absolutely it's not a feature. > >>> > >>> Thanks! > >>> > > Thanks for the quick reply. > > I was surprised too. I didn't post /proc/mounts to container. > > I mean show the /proc/mounts of container and host > > in container: > cat /proc/mounts > > [root@Donkey /]# cat /proc/mounts > rootfs / rootfs rw 0 0 > devpts /dev/pts devpts rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666 0 0 > devfs /dev tmpfs rw,nosuid,relatime,size=64k,mode=755 0 0 > /dev/sdb2 / ext4 rw,relatime,data=ordered 0 0 > proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 > proc /proc/sys proc ro,relatime 0 0 > sysfs /sys sysfs ro,relatime 0 0 > libvirt /proc/meminfo fuse rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0 > tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec,relatime,size=64k,mode=755,uid=1000,gid=1000 0 0 > cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0 > cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0 > cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0 > cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0 > cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0 > cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0 > cgroup /sys/fs/cgroup/net_cls cgroup rw,nosuid,nodev,noexec,relatime,net_cls 0 0 > cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0 > devpts /dev/ptmx devpts rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666 0 0 > in container: root@container:~# cat /proc/mounts rootfs / rootfs rw 0 0 devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666 0 0 /dev/mapper/vg0-var / ext4 rw,seclabel,relatime,user_xattr,barrier=1,data=ordered 0 0 devpts /dev/pts devpts rw,seclabel,nosuid,relatime,gid=5,mode=620,ptmxmode=666 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 proc /proc/sys proc ro,relatime 0 0 sysfs /sys sysfs ro,seclabel,relatime 0 0 devfs /dev tmpfs rw,seclabel,nosuid,relatime,size=64k,mode=755 0 0 devpts /dev/ptmx devpts rw,seclabel,nosuid,relatime,gid=5,mode=620,ptmxmode=666 0 0 selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0 tmpfs /run tmpfs rw,rootcontext=system_u:object_r:var_t:s0,seclabel,nosuid,noexec,relatime,size=6609200k,mode=755 0 0 tmpfs /run/lock tmpfs rw,rootcontext=system_u:object_r:var_t:s0,seclabel,nosuid,nodev,noexec,relatime,size=5120k 0 0 tmpfs /run/shm tmpfs rw,rootcontext=system_u:object_r:var_t:s0,seclabel,nosuid,nodev,noexec,relatime,size=32748940k 0 0 > > and in host > [root@Donkey libvirt]# cat /proc/mounts > rootfs / rootfs rw 0 0 > proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 > sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0 > devtmpfs /dev devtmpfs rw,nosuid,size=5081344k,nr_inodes=1270336,mode=755 0 0 > securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0 > tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0 > devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 > tmpfs /run tmpfs rw,nosuid,nodev,mode=755 0 0 > tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec,mode=755 0 0 > cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd 0 0 > pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0 > cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0 > cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0 > cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0 > cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0 > cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0 > cgroup /sys/fs/cgroup/net_cls cgroup rw,nosuid,nodev,noexec,relatime,net_cls 0 0 > cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0 > cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0 > cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0 > .... in host root@host:~# cat /proc/mounts rootfs / rootfs rw 0 0 sysfs /sys sysfs rw,seclabel,nosuid,nodev,noexec,relatime 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 udev /dev devtmpfs rw,seclabel,relatime,size=10240k,nr_inodes=8251651,mode=755 0 0 devpts /dev/pts devpts rw,seclabel,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 tmpfs /run tmpfs rw,seclabel,nosuid,noexec,relatime,size=6609200k,mode=755 0 0 /dev/disk/by-uuid/14601dd5-89c4-46c9-aa88-dbfbfb1f092a / ext4 rw,seclabel,noatime,errors=remount-ro,user_xattr,barrier=1,data=ordered 0 0 selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0 tmpfs /run/lock tmpfs rw,rootcontext=system_u:object_r:var_lock_t:s0,seclabel,nosuid,nodev,noexec,relatime,size=5120k 0 0 tmpfs /run/shm tmpfs rw,rootcontext=system_u:object_r:tmpfs_t:s0,seclabel,nosuid,nodev,noexec,relatime,size=13218380k 0 0 ... /dev/mapper/vg0-var /var ext4 rw,seclabel,noatime,user_xattr,barrier=1,data=ordered 0 0 cgroup /sys/fs/cgroup cgroup rw,relatime,perf_event,blkio,net_cls,freezer,devices,memory,cpuacct,cpu,cpuset,clone_children 0 0 rpc_pipefs /var/lib/nfs/rpc_pipefs rpc_pipefs rw,relatime 0 0 > > > > libvirt_lxc did it for me. > > I read http://libvirt.org/drvlxc.html about Filesystem mounts: > > " > > In the absence of any explicit configuration, the container will > > inherit the host OS filesystem mounts. A number of mount points will be > > made read only, or re-mounted with new instances to provide container > > specific data. The following special mounts are setup by libvirt > > > > * /dev a new "tmpfs" pre-populated with authorized device nodes > > * /dev/pts a new private "devpts" instance for console devices > > * /sys the host "sysfs" instance remounted read-only > > * /proc a new instance of the "proc" filesystem > > * /proc/sys the host "/proc/sys" bind-mounted read-only > > * /sys/fs/selinux the host "selinux" instance remounted read-only > > * /sys/fs/cgroup/NNNN the host cgroups controllers bind-mounted to > > * only expose the sub-tree associated with the container > > * /proc/meminfo a FUSE backed file reflecting memory limits of the > > * container > > " > > Can I disable this behavior? > > How do I specify an explicit configuration? > > This can't be disabled and it's no need to disable this. > > > > > my container.xml: (The entire xml file is shown in the my original post) > >> ... > >> <devices> > >> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> > >> <filesystem type='mount'> > >> <source dir='/var/lxc/ns1/rootfs'/> > >> <target dir='/'/> > >> </filesystem> > >> ... > >> </device> > >> ... > >> > > Your configuration looks good, In container,the sysfs is mounted as read-only default. > Since we don't want user in container to change some sysfs-configuration of host. My problem was after first start lxc containet by virsh (after reboot host), the host /sys fs becomes ro. After I remount it rw manually and start container again, all OK: /sys in host - rw, in container - ro. Thanks, Gao. This problem was solved for me. > > Thanks > Gao. > >> > >>>> Thanks. > >>>> > >>>> root@host:~# uname -a > >>>> Linux host 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2+deb7u2 x86_64 GNU/Linux > >>>> > >>>> root@host:~# cat /etc/os-release > >>>> PRETTY_NAME="Debian GNU/Linux 7.0 (wheezy)" > >>>> ... > >>>> > >>>> root@host:~# dpkg -l | grep libvirt > >>>> ii libvirt-bin 0.9.12-11 amd64 programs for the libvirt library > >>>> ii libvirt0 0.9.12-11 amd64 library for interfacing with different virtualization systems > >>>> > >>>> > >>>> container.xml: > >>>> <domain type='lxc'> > >>>> <name>ns1</name> > >>>> <memory>524288</memory> > >>>> <os> > >>>> <type>exe</type> > >>>> <init>/sbin/init</init> > >>>> </os> > >>>> <vcpu>1</vcpu> > >>>> <clock offset='utc'/> > >>>> <on_poweroff>destroy</on_poweroff> > >>>> <on_reboot>restart</on_reboot> > >>>> <on_crash>destroy</on_crash> > >>>> <devices> > >>>> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> > >>>> <filesystem type='mount'> > >>>> <source dir='/var/lxc/ns1/rootfs'/> > >>>> <target dir='/'/> > >>>> </filesystem> > >>>> <interface type='bridge'> > >>>> <source bridge='br0'/> > >>>> <mac address='52:54:00:de:74:06'/> > >>>> </interface> > >>>> <console type='pty' /> > >>>> </devices> > >>>> </domain> > >>>> > >>>> > >>>> _______________________________________________ > >>>> libvirt-users mailing list > >>>> libvirt-users@xxxxxxxxxx > >>>> https://www.redhat.com/mailman/listinfo/libvirt-users > >>>> > >>> > > > _______________________________________________ libvirt-users mailing list libvirt-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvirt-users
