On Mon, Oct 08, 2012 at 08:43:28AM +0800, Gao feng wrote:
于 2012年09月26日 02:37, Daniel P. Berrange 写道:
On Tue, Sep 11, 2012 at 10:54:48AM +0800, Gao feng wrote:
this patch addes fuse support for libvirt lxc. we can use fuse filesystem to generate sysinfo dynamically, So we can isolate /proc/meminfo,cpuinfo and so on through fuse filesystem.
we mount fuse filesystem for every container.the mount name is Lxc-containename-fuse,mount point is localstatedir/run/libvirt/lxc/containername.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c index e5aea11..c5f4951 100644 --- a/src/lxc/lxc_controller.c +++ b/src/lxc/lxc_controller.c @@ -1657,6 +1659,14 @@ int main(int argc, char *argv[]) } }
+ rc = virThreadCreate(&thread, true, lxcRegisterFuse, + (void *)ctrl->def); + if (rc < 0) { + virReportSystemError(-rc, "%s", + _("Create Fuse filesystem failed")); + goto cleanup; + } +
This is the wrong place to start FUSE. At this point the LXC controller is still sharing its mount namespace with the host OS. This causes the FUSE mount for each container to become visible in the host, which is not what we want. sorry for the delay.
I think it's correct,because host can see container's meminfo through cgroup too.NOW the container's cgroup can be seen and modified in container too,I don't know why this is necessary?
The key point is that if you do 'cat /proc/mounts' with your current patch, you see all the LXC container FUSE mounts. These mounts should *not* be visible on the host. Only the libvirt_lxc process and the container itself shoudl see the mounts. This is why you must not start FUSE until after the unshare() call in libvirt_lxc. This also ensures that the FUSE mount is automatically destroyed when libvirt_lxc dies, without you needing to unregister or unmount it.
We must only start FUSE, after, we have done the unshare() call while setting up /dev/pts.
Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|