[lxc-devel] mount ro in guest change host filesystem to ro

[Nico]

Dear Jäkel,

2011/9/2 Jäkel, Guido <G.Jaekel at dnb.de>:
> Dear Nico,
>
>>I mean lxc was integrated into 2.6.27 kernel, this is october 2008
>>!!!, nearly three years from now, into the
>>stable branch, but is not usable in production in 2011 !!
>
> I'm not involved in lxc-dev yet, but to my knowledge you're using wrong terms: Nothing of LXC is integrated into the kernel, but LXC uses "common" features of the kernel like cgroup and other namespaces to ground it's functionality on it. All of LXC itself is completely in userland.

My guess is security issues are inside the kernel itself (like rmmod,
mount ro, tty problems), but you're right
lxc is just an interface to cgroups.

> If I may point you to another open issue: Just call 'free' or 'top' in an container, it will show the view of the host. If you look at the sources of the "pstools package", you'll find that there's absolute no proper kernel interface to ask the memory usage. Instead, this tools will directly read out some kernel structures.  I don't know how openvz handles such things. Does it fake such kernel memory accesses to the userland processes in different namespaces?

Even with lxc, "ps xua..." show only processes in the cgroup, so yes
/proc is already "virtualized". You're right about "free" reporting
host values with lxc, but it's done in openvz, and I don't know about
vservers.

What is the aim of lxc ?, to be just a toy ?, or to compare to
bsdjails, solaris zones, openvz, vservers, aix lpar.
Is cgroup just a toy to get Linus watching videos while compiling his
kernel ?, or to be able to run containers ?

I'm not able to code at this time, but I can report bugs, report
missing user options,
give some money, write doc, and ask how many time it will take to make
this projet usable ?

have a nice we !

Nicolas

> Other projects like process grouping uses process namespaces, too. Will such a patch be compatible with such another usecase?
>
>
> Greetings
>
> Guido
>