[lxc-devel] Probably more of a user list than a devel lis question but ...

Michael J Coss michael.coss at alcatel-lucent.com
Wed May 7 21:06:35 UTC 2014 

On 5/7/2014 3:38 PM, Serge Hallyn wrote:
> 1) mount a new instance of sysfs within the nework/process namespace
> of the container on some host mount point
> Why on a host mount point, out of curiosity?
I really don't want the "real" container /sys to be directly accessible 
within the container's context, other than thru the FUSE.  At some point 
I will want to not allow a new sysfs instance to be mounted within the 
container.
> So how does it go wrong if you use lxc.hook.mount?  That happens
> in the container's namespace, but before the pivot_root.  So
> you can access both the host's and container's mounts, though
> your mounts won't be propagated to the host mount namespace.
> At this point the container rootfs is mounted at
> $LXC_ROOTFS_MOUNT, so ${LXC_ROOTFS_MOUNT}/sys will be the
> container's sys, for instance.
Three observations.

First, systemd hangs.  Haven't tried it with my container that's using 
openRC.  It is not the fact that I have the container's /sys mounted 
because I've had this work before when I was shadowing the host's /sys.  
The different behavior seems to stem the use of ROOTFS_MOUNT vs 
ROOTFS_PATH.  Using the path variable, the FUSE properly  shadows the 
host's /sys.  Use of the ROOTFS_MOUNT variable, triggers a hang in systemd.

Second, looking at the mount point of what should be the container's 
/sys shows an empty directory.  There are two entries in the host mount 
table, one for each of the mounts done in the hook.  The sysfs entry 
points to the correct directory /etc/lxc/<container name>/sys, the fuse 
daemon responsible for the mount point is active, and the mount point 
for the fuse is shown as the what I believe is the pivot_root, 
/usr/lib64/lxc/rootfs/sys.  If I switch to using ROOTFS_PATH, systemd 
runs but apparently ignores the mount (or doesn't see it) and mounts a 
new instance of sysfs.  The odd thing is that

Third, what should be the container's /sys (mount on /etc/lxc/<container 
name>/sys) is empty.  This may be due to the fact that systemd is hung, 
but I would think the kernel would present the sysfs instance even if 
the init process is hung.

-- 
---Michael J Coss

More information about the lxc-devel mailing list