Re: [libvirt] [PATCH] LXC: Improved check before mounting securityfs
On Mon, Oct 07, 2013 at 12:52:30PM +0300, Bogdan Purcareata wrote:
Securityfs kernel support may not be available on all platforms
running libvirt containers. Since securityfs receives special
handling in the context of user namespaces, make an additional
check to see if it is supported, by inspecting /proc/filesystems.
Making this check for all lxcBasicMounts is a bit tedious, since
the /proc filesystem is first unmounted from host, so the
/proc/filesystems list should be saved before unmounting, to be
available at all times. However, checks for the support for /proc
or /sys are superfluous.
I actually don't think it is correct to base it on /proc/filesystems.
The intent of this code is that the container setup match the host
OS setup for these "special" filesystems. So the container should
have it mounted, if and only if, the host has it mounted.
We had attempted todo this by using access(/the/path), but this is
flawed because a) we were looking at the wrong path (the container
path, not the host path) and b) the directory can exist even if the
FS isn't mounted.
What we should have done here is to check whether the path in
question is a mount point on the host. This should automatically
do the right thing if the kernel does not have the filesystem
in question compiled, as well as if it isn't mounted in the
host. I'll copy you on a patch which tries todo that, so can you
test it with your kenrels.
In the long run, to support the addition of new filesystems in
lxcBasicMounts, an additional "optional" flag should be introduced,
to mark that for a specific filesystem, the code should first check
for support in the kernel, before mounting it. For mandatory
filesystems, if mounting them fails, creating the container fails.
Right now, check for support only for securityfs, since right now
it is the only special case.
I'm including flags in the mount table so we can avoid this
special casing as you suggest.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|