From: libvir-list-bounces@redhat.com [mailto:libvir-list-bounces@redhat.com] On Behalf Of Daniel P. Berrange ...
Could containers make isolation exceptions for - shared storage devices? - shared /var/run/sync_manager/watchdog/ so that the system watchdog could monitor all sync_manager instances?
Yes, resources (files) from the primary OS can be exposed in the container on a case by case basis & potentially be visible inside many containers. If we did a full virtual chroot setup, then the container would only be able to see designated paths. It is also possible to hide the containers chroot heirarchy from the host completely. In any case, we can share paths between containers and the host as needed.
A process inside the container would not be able to see any processes outside the container. Processes outside can, however, see processes inside the container, but its view of the PIDs will be different. eg PID 1 inside the container may be PID 2345 outside.
The point I was trying to make, is that if the supervisor process wants to connect back to a central lock daemon directly this might run into trouble. If the supervisor process only needs to access file resources on disk, it should be fine. [IH] how would Libvirt know to give security context to the leases area of the VM? it would be a different implementation per lock manager (say, I'd like to lock a row in a central remote db for this)?