[lxc-devel] [PATCH] Use container specific domain socket name

S.Çağlar Onur caglar at 10ur.org
Fri Apr 12 16:55:27 UTC 2013 

I'm not experienced with it so please forgive me if I'm talking non-sense
but what about switching back to using (or abusing depending on your point
of view) netlink via libnl?


On Fri, Apr 12, 2013 at 10:02 AM, Serge Hallyn <serge.hallyn at ubuntu.com>wrote:

> Quoting Daniel Lezcano (daniel.lezcano at free.fr):
> > Sorry for jumping so late in the thread but I disagree to use DBUS with
> > LXC because of the dependency with more packages, LXC has been designed
> > to be stand alone, nothing prevent to add more complexity and
> > dependencies but on top of LXC not inside.
> >
> > To answer the previous email Serge sent me, I thought a bit about the
> > mechanism in order to prevent a publish/subscribe approach. The first
> > version used the af_netlink socket to use some kind of message multicast
> > on processes. But it hacked a family of the netlink which was
> > conflicting with the ip_route tool. In order to prevent this conflict I
> > switched "temporarly" to the AF_UNIX socket while looking for a socket
> > type matching our needs. The AF_IPN (Inter Process Network) could have
> > been perfect but the patchset has been rejected.
> >
> > I think the solution to solve this issue is to use the AF_INET protocol
> > on the loopback using the loopback's broadcast address and filter the
> > messages with the container name. The code should be 'trivial'.
> >
> > One question remains with this approach : which communication port
> number ?
>
> A consideration:  right now the the monitors are per-lxcpath.  So
> if user joe is using lxcpath /home/joe/lxcbase, then his lxc-monitor
> will only hear events for containers under /home/joe/lxcbase.  If
> we use loopback, then events for alllxcpaths on the host will be
> combined.
>
> That may be preferred, or may not be.  But in the coming world of
> per-unprivileged-user containers, where user joe has container c2
> in /home/joe/lxcbase/c2, do we want user joe to hear all events
> relating to system containers (under /var/lib/lxc) or jane's
> /home/jane/lxcbase containers?
>
> It's not so much a noise issue, as we can just make sure to add
> the lxcpath to each message.  It's more a security/privacy concern.
>
> -serge
>
>
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Lxc-devel mailing list
> Lxc-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/lxc-devel
>



-- 
S.Çağlar Onur <caglar at 10ur.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20130412/d2cf6a9b/attachment.html>

More information about the lxc-devel mailing list