Re: [libvirt] PATCH: Allow LXC to use private /dev/pts instance
Quoting Daniel P. Berrange (berrange(a)redhat.com):
> Calling unshare(CLONE_NEWNS) will not prevent the host OS from
> seeing the new /dev/pts if / was MS_SHARED. That isn't taken
> care of anywhere else for this process's namespace, is it?
Yeah, so this is the place where I think we must still have a difference
in our host setups. I'm testing this patch on a Fedora 11 host, and with
my current code, the new /dev/pts is not visible in the host.
Well I haven't tested your patch as is, was just looking at the code.
My pivot_root patch did a remount --make-slave, but I think it is only
for the container itself, whereas your patch here affects the driver
so it hasn't yet hit that remount, right?
So I can only assume this means my host / is *not* MS_SHARED, while
If on your F11 host you look at
cat /proc/self/mountinfo
do the top lines show / as being shared? (Mine does)
yours is. I'm struggling to find out why this is different
because
I'm testing on an Fedora 11 up2date system.
It's possible this is just something that has been changed since.
Anyway, would it be sufficiently to add in a call
if (mount("", "/", NULL, MS_PRIVATE|MS_REC, NULL) < 0) {
virReportSystemError(NULL, errno, "%s",
_("failed to make root private"));
goto cleanup;
}
Maybe the best thing to do would be:
if (mount("", "/", NULL, MS_SLAVE|MS_REC,
NULL) < 0) {
virReportSystemError(NULL, errno, "%s",
_("failed to make root slave"));
goto cleanup;
}
if (mount("", "/", NULL, MS_SHARED|MS_REC, NULL) < 0) {
virReportSystemError(NULL, errno, "%s",
_("failed to make root shared"));
goto cleanup;
}
So we are making it slave (so it will receive mounts from the host
still), then shared (so the rest of the container will start out
shared). That, or just turn it SLAVE and leave it like that.
Just after the 'unshare' call, to make sure our / is private
before
we setup the new /dev/pts
> I assume the reason you want the new devpts not visible in the
> host OS is so that it will be auto-umounted when the container is
> released?
Yes, that's the primary reason, although I also just don't want anything
accessing the container's PTYs directly from the host. I wanted them to
remain a hidden impl detail, used only by the libvirt controller process.
So its preferrable that this new dev/pts instance is not visible in the
host (at least not easily).
thanks,
-serge