[lxc-devel] [PATCH] Add mechanism for container to notify host about end of boot
Christian Seiler
christian at iwakd.de
Fri Sep 14 12:54:33 UTC 2012
> I must admit the details aren't worked out, but the rough idea was
> something like the following. On the host have a directory per
> container, in which the socket is setup
>
> /var/lib/systemd/containerXXXX/
>
> And bind '/var/lib/systemd/containerXXX' into the container in some
> location, lets say '/var/lib/systemd/self/'. The idea is that if
> systemd in the container now listens on
> /var/lib/systemd/self/systemd.sock
> that a process in the host can connect via
>
> /var/lib/systemd/containerXXXX/systemd.sock
This you can already do in current lxc - just add an entry in the form
lxc.mount.entry = /var/lib/systemd/containerXXX var/lib/systemd/self
none bind 0 0
to the lxc config file of your container. There's no need to change any
code for that. (You have to make sure both directories exist, however.)
OTOH, for the status updates I'm proposing, it's more LXC itself having
some form of indication as to whether the container is currently really
running, just booting or in the process of shutting down - that makes
lxc-info much more useful.
> I'm a little fuzzy on exactly how UNIX domain socket paths interact
> wrt mount namespaces
As long as you can see the socket, you can connect to it. If you
bind-mount a directory, any socket you create inside the container will
also appear on the host. What you can't do is just bind-mount a socket
itself, since it already has to exist, which means that you can't bind
to it and listen after that.
The only tricky thing are UNIX domain sockets in the abstract
namespace,
i.e. the ones starting with a 0-byte in their name: They are tied to
the
network namespace, so you can *never* see an abstract UNIX socket from
another namespace (unless you manage to pass around the fd in some
way).
But for sockets which are tied to a real object in the filesystem, this
restriction doesn't apply.
By the way, as a side-note for your idea for systemctl working from the
outside: If you really want to isolate your container from the host,
then you have to make sure that in can't DOS the host by filling up
/var. This is not possible if you just bind-mount a socket/FIFO, but
that doesn't work for your use-case, so you probably would want to
mount a tmpfs with a *very* small quota to
/var/lib/systemd/containerXXX
(in the pre-start lxc hook for example) and then bind-mount that
instead
of part of a real file system that may be filled up.
Regards,
Christian
More information about the lxc-devel
mailing list