12:58 a.m.
On 06/10/2013 01:41 PM, pr.G wrote:
On Mon, Jun 10, 2013 at 09:29:32AM +0400, свящ. Георгий Гольцов
wrote:
> On Mon, Jun 10, 2013 at 09:07:08AM +0800, Gao feng wrote:
>> On 06/09/2013 08:14 PM, pr.G wrote:
>>> Hello.
>>>
>>> Is it possible to start container via libvirt_lxc without mounting /sys
>>> inside container?
>>>
>>> When I start container via lxc-start and do not add mount point to config,
>>> then /sys inside container is empty.
>>>
>>> When I do it via virsh -c lxc:// container.xml, then
>>> /sys contains sysfs of the host and /sys on host becomes remounting
read-only.
>>
>> how can it be true? Can you post your /proc/mounts on host and container?
>>
>>>
>>> Am I doing something wrong or is this feature of libvirt_lxc?
>>>
>>
>> Absolutely it's not a feature.
>>
>> Thanks!
>>
Thanks for the quick reply.
I was surprised too. I didn't post /proc/mounts to container.
I mean show the /proc/mounts of container and host
in container:
cat /proc/mounts
[root@Donkey /]# cat /proc/mounts
rootfs / rootfs rw 0 0
devpts /dev/pts devpts rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666 0 0
devfs /dev tmpfs rw,nosuid,relatime,size=64k,mode=755 0 0
/dev/sdb2 / ext4 rw,relatime,data=ordered 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
proc /proc/sys proc ro,relatime 0 0
sysfs /sys sysfs ro,relatime 0 0
libvirt /proc/meminfo fuse rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
tmpfs /sys/fs/cgroup tmpfs
rw,nosuid,nodev,noexec,relatime,size=64k,mode=755,uid=1000,gid=1000 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/net_cls cgroup rw,nosuid,nodev,noexec,relatime,net_cls 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
devpts /dev/ptmx devpts rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666 0 0
and in host
[root@Donkey libvirt]# cat /proc/mounts
rootfs / rootfs rw 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
devtmpfs /dev devtmpfs rw,nosuid,size=5081344k,nr_inodes=1270336,mode=755 0 0
securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /run tmpfs rw,nosuid,nodev,mode=755 0 0
tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec,mode=755 0 0
cgroup /sys/fs/cgroup/systemd cgroup
rw,nosuid,nodev,noexec,relatime,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd
0 0
pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0
cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
cgroup /sys/fs/cgroup/net_cls cgroup rw,nosuid,nodev,noexec,relatime,net_cls 0 0
cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0
....
libvirt_lxc did it for me.
I read http://libvirt.org/drvlxc.html about Filesystem mounts:
"
In the absence of any explicit configuration, the container will
inherit the host OS filesystem mounts. A number of mount points will be
made read only, or re-mounted with new instances to provide container
specific data. The following special mounts are setup by libvirt
* /dev a new "tmpfs" pre-populated with authorized device nodes
* /dev/pts a new private "devpts" instance for console devices
* /sys the host "sysfs" instance remounted read-only
* /proc a new instance of the "proc" filesystem
* /proc/sys the host "/proc/sys" bind-mounted read-only
* /sys/fs/selinux the host "selinux" instance remounted read-only
* /sys/fs/cgroup/NNNN the host cgroups controllers bind-mounted to
* only expose the sub-tree associated with the container
* /proc/meminfo a FUSE backed file reflecting memory limits of the
* container
"
Can I disable this behavior?
How do I specify an explicit configuration?
This can't be disabled and it's no need to disable this.
my container.xml: (The entire xml file is shown in the my original post)
> ...
> <devices>
> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
> <filesystem type='mount'>
> <source dir='/var/lxc/ns1/rootfs'/>
> <target dir='/'/>
> </filesystem>
> ...
> </device>
> ...
>
Your configuration looks good, In container,the sysfs is mounted as read-only default.
Since we don't want user in container to change some sysfs-configuration of host.
Thanks
Gao.
>
>>> Thanks.
>>>
>>> root@host:~# uname -a
>>> Linux host 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2+deb7u2 x86_64 GNU/Linux
>>>
>>> root@host:~# cat /etc/os-release
>>> PRETTY_NAME="Debian GNU/Linux 7.0 (wheezy)"
>>> ...
>>>
>>> root@host:~# dpkg -l | grep libvirt
>>> ii libvirt-bin 0.9.12-11 amd64 programs for the libvirt library
>>> ii libvirt0 0.9.12-11 amd64 library for interfacing with different
virtualization systems
>>>
>>>
>>> container.xml:
>>> <domain type='lxc'>
>>> <name>ns1</name>
>>> <memory>524288</memory>
>>> <os>
>>> <type>exe</type>
>>> <init>/sbin/init</init>
>>> </os>
>>> <vcpu>1</vcpu>
>>> <clock offset='utc'/>
>>> <on_poweroff>destroy</on_poweroff>
>>> <on_reboot>restart</on_reboot>
>>> <on_crash>destroy</on_crash>
>>> <devices>
>>> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator>
>>> <filesystem type='mount'>
>>> <source dir='/var/lxc/ns1/rootfs'/>
>>> <target dir='/'/>
>>> </filesystem>
>>> <interface type='bridge'>
>>> <source bridge='br0'/>
>>> <mac address='52:54:00:de:74:06'/>
>>> </interface>
>>> <console type='pty' />
>>> </devices>
>>> </domain>
>>>
>>>
>>> _______________________________________________
>>> libvirt-users mailing list
>>> libvirt-users(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/libvirt-users
>>>
>>