On 10/07/2013 09:04 PM, Daniel P. Berrange wrote:
On Mon, Oct 07, 2013 at 12:52:30PM +0300, Bogdan Purcareata wrote:
> Securityfs kernel support may not be available on all platforms
> running libvirt containers. Since securityfs receives special
> handling in the context of user namespaces, make an additional
> check to see if it is supported, by inspecting /proc/filesystems.
>
> Making this check for all lxcBasicMounts is a bit tedious, since
> the /proc filesystem is first unmounted from host, so the
> /proc/filesystems list should be saved before unmounting, to be
> available at all times. However, checks for the support for /proc
> or /sys are superfluous.
I actually don't think it is correct to base it on /proc/filesystems.
The intent of this code is that the container setup match the host
OS setup for these "special" filesystems. So the container should
have it mounted, if and only if, the host has it mounted.
We had attempted todo this by using access(/the/path), but this is
flawed because a) we were looking at the wrong path (the container
path, not the host path) and b) the directory can exist even if the
FS isn't mounted.
We already mount sysfs to /sys before we mount securityfs in container,
so the path /sys/kernel/securityfs is right, the securityfs directory
is created when we mount sysfs.
I read the codes of systemd, systemd doesn't mount securityfs in container
environment, so I don't know what's problem commit
6807238d87fd93dee30038bea1e8582a5f0a9fe7
trying to resolve.
What we should have done here is to check whether the path in
question is a mount point on the host. This should automatically
do the right thing if the kernel does not have the filesystem
in question compiled, as well as if it isn't mounted in the
host. I'll copy you on a patch which tries todo that, so can you
test it with your kenrels.
>
> In the long run, to support the addition of new filesystems in
> lxcBasicMounts, an additional "optional" flag should be introduced,
> to mark that for a specific filesystem, the code should first check
> for support in the kernel, before mounting it. For mandatory
> filesystems, if mounting them fails, creating the container fails.
>
> Right now, check for support only for securityfs, since right now
> it is the only special case.
I'm including flags in the mount table so we can avoid this
special casing as you suggest.
Daniel