[lxc-devel] [RFC PATCH 00/11] Add support for devtmpfs in user namespaces

[Michael J Coss]

I've been working on this issue for a while as my use case is having 
containers as virtual desktops for users, that run X, and allow sharing 
of the desktop via injection of displays to the container, as well as 
mice/keyboard using a remote usb ip solution.  To make this work, we 
needed udev messages.  But instead of being broadcasted to every 
container which is what happens now, it needs to be delivered to the 
appropriate container.  So have the uevents are localized to the host. 
and a new daemon (udevns) listens via libudev for events, and forwards 
the events to the appropriate container(s) via inject of the events to 
the appropriate network namespace.  It also is responsible for creation 
of device nodes in the container.  We create a local dev directory in 
/etc/lxc/<containername>/ that is bound during the startup of the 
container.  The container's udev gets the events, and handles them 
locally based on the admin's rules.  Device creation is controlled via 
the lxc.conf file.

When I orginally looked at this problem, I too though of a FUSE, but 
after implementing a /dev FUSE I found the performance penalty was just 
too much, as each access required traversing the kernel a few times.  If 
there was a way to handoff the file descriptor, it might be viable.  And 
there have been attempts at implementing the handoff but they weren't 
very stable.

My current attempt at a FUSE is to provide a filtered view of sysfs, as 
this is another kernel filesystem that poses problems for a more 
generalized view of containers as a virtual machine replacement.  In 
this case, the performance issues are less as it just isn't as critical.