<div dir="ltr">Hi Serge,<div><br></div><div style>I was just following your lead as you said you don't wan't any long running monitor daemon :) Also I'm not sure how does that daemon is going to help starting multiple containers concurrently using only API. I'm guessing the first request will cause that daemon to start and it will never end unless specifically told it to shutdown?</div>
<div style><br></div><div style>Cheers,</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Apr 15, 2013 at 1:18 PM, Serge Hallyn <span dir="ltr"><<a href="mailto:serge.hallyn@ubuntu.com" target="_blank">serge.hallyn@ubuntu.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">Quoting Daniel Lezcano (<a href="mailto:daniel.lezcano@free.fr">daniel.lezcano@free.fr</a>):<br>
> On 04/15/2013 07:53 AM, S.Çağlar Onur wrote:<br>
> > Hi Daniel,<br>
> ><br>
> ><br>
> > On Sun, Apr 14, 2013 at 4:42 PM, Daniel Lezcano<br>
> > <<a href="mailto:daniel.lezcano@free.fr">daniel.lezcano@free.fr</a> <mailto:<a href="mailto:daniel.lezcano@free.fr">daniel.lezcano@free.fr</a>>> wrote:<br>
> ><br>
> > On 04/14/2013 09:56 PM, S.Çağlar Onur wrote:<br>
> > > Hi all,<br>
> > ><br>
> > > I had some free time today so I tried to implement something using<br>
> > > AF_INET messages over loopback broadcast address. I'm not including<br>
> > > the patch here because gmail web interface damages it and that's<br>
> > what<br>
> > > I use right now so please use [1] to see it.<br>
> > ><br>
> > > I'm sending it to get your feedback and will submit it to list<br>
> > if you<br>
> > > are OK with that approach.<br>
> > ><br>
> > > P.S: I used 51423 as the port but of course it can be changed<br>
> > > accordingly.<br>
> > ><br>
> > > [1]<br>
> > ><br>
> > <a href="https://github.com/caglar10ur/lxc-upstream/commit/123b20e2945ed2b4bc9e6e27b9ef398ec8fcae40.patch" target="_blank">https://github.com/caglar10ur/lxc-upstream/commit/123b20e2945ed2b4bc9e6e27b9ef398ec8fcae40.patch</a><br>
> ><br>
> > Thanks for this code !<br>
> ><br>
> > It sounds like the approach seems ok. My concern is the same than<br>
> > Serge,<br>
> > what can we do to ensure an event was sent by a container ?<br>
> ><br>
> > We don't want someone to send fake events via UDP. We can't tolerate a<br>
> > simple program messing a container supervisor and all the containers<br>
> > (running an OS instance).<br>
> ><br>
> > Assuming an user, which is not root, can't build an IP packet, we can<br>
> > rely on the IP identification number to detect fake packets, no ?<br>
> ><br>
> ><br>
> > I'm not sure about the right answer of that question. I was under the<br>
> > impression that we are safe since kernel only allows root user to send<br>
> > broadcast packages over loopback interface but I might<br>
> > be completely wrong.<br>
><br>
> I don't find a confirmation about this anywhere. Do you have a pointer ?<br>
> If it is the case, then that's cool because we are safe on this side.<br>
<br>
</div></div>Though since we want unprivileged container use, I don't particularly<br>
like that.<br>
<br>
That's another reason I was hoping to stick with AF_UNIX. Then we can<br>
have a monitor socket per lxcpath (/var/lib/lxc, /home/serge/lxcbase,<br>
etc).<br>
<br>
One of the funky solutiosn I was considering was that the first person<br>
to run lxc-monitor - who has wwrite access to the lxcpath - would simply<br>
cause a long-running monitor daemon to start, creating the unix socket<br>
and listening+accepting and forking of handlers. (lxc-monitor --end<br>
would kill the listening handler if we wanted, though that should be<br>
so lightweight as to not matter)<br>
<div class="HOEnZb"><div class="h5"><br>
> Is your code tested ? I mean, did you validate monitoring the events<br>
> works with this approach ?<br>
><br>
> Thanks<br>
> -- Daniel<br>
><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>S.Çağlar Onur <<a href="mailto:caglar@10ur.org">caglar@10ur.org</a>>
</div>