[Lxc-users] trouble with remote mounts, ssh and ftp clients from inside container behind private bridge & NAT

Rob Landley rob at landley.net
Sun Nov 11 12:09:28 UTC 2012 

On 11/09/2012 05:13:14 PM, Dan Kegel wrote:
> On Fri, Nov 9, 2012 at 3:03 PM, Whit Blauvelt <whit at transpect.com>  
> wrote:
> >> > mount -o bind /var/lib/lxc/guest/rootfs/mnt/xyz  
> /var/lib/lxc/guest/rootfs/mnt/xyz
> >> > brings the mount into visibility on the guest.
> >>
> >> IIRC, that failed with NFS for me.  You may be lucky you're using  
> CIFS.
> >
> > You mounted NFS on the host, and then tried to bind it to the  
> guest? Didn't
> > work?
> 
> Right.  As I recall, the system exploded.  Or at least did not work
> properly after that.  Hung on file access, maybe.  It was painful
> enough that I've purged the incident from memory, and just
> avoid nfs inside lxc.

I fixed cifs to be container aware back in 2010. I spent months  
examining NFS trying to do similar fixes, but NFS is a crawling horror  
full of bad ideas like superblock merging, and the NFS v2, v3, v4, and  
v4.1 (pnfs) protocols have an awful lot of divergent spaghetti  
codepaths.

Making CIFS container-aware was a couple lines. Doing the same for NFS  
is a thesis project. (It's not that NFS and containers and NFS don't  
mix, it's that NFS and _anything_ doesn't mix. Only Sun could design a  
"stateless filesystem server" when the point of a filesystem is to  
maintain state. The whole design is a giant contradiction in terms with  
decades of crap built on top to try to bury the bad ideas under so much  
complexity the problems are less obvious. I'll stop now.)

Really: go look at the Plan 9 filesystem (the "9p" driver, the  
userspace TCP/IP server is called "diod", and kvm has a built-in 9p  
server called "virtfs" using a virtio transport. It's been in the  
kernel for years and uses the same "one pipe per mount" connection type  
of CIFS (so you can use it over a serial port if you really need to),  
but unlike that windows-derived monstrosity the protocol going over  
said pipe is not crazy.

I posted a patch to containerize 9p over a year ago, never checked if  
it got merged:

   http://marc.info/?l=v9fs-developer&m=130597202601764

Rob

More information about the lxc-users mailing list