[lxc-devel] Closing all fds by default

Daniel Godás dgodas at gmail.com
Fri Jun 8 09:17:17 UTC 2012


Hi all,

I am writing an application that uses lxc as a plugin container so that I
can give users something that resembles a full linux environment but still
keep control over it. In order to have controlled bi-directional
communication between the plugin and the outside world I intended to pass a
file descriptor to the container. I would create the socket before
launching the container, attach the application to it and then let the
plugin use the file descriptor. This became impossible when the following
patch was applied:

http://sourceforge.net/mailarchive/message.php?msg_id=29310646

The reasoning behind the patch seems to be that nobody would want to pass a
file descriptor to the container but I think there a uses for such thing.
The alternative I have at the moment is to either mount a filesystem with a
unix fifo/socket in it and use it from both sides or use a network
interface. The first option looks like a hack to me and kind of defeats the
purpose of having an isolated container. The second one implies messing up
with addressing, which I'd like to avoid. Passing an fd looks like an
elegant solution to me.

I guess my point is --close-all-fds was actually useful and I think
removing it should be reconsidered.

Regards,
Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20120608/9c2923aa/attachment.html>


More information about the lxc-devel mailing list