[lxc-devel] [PATCH 2/3] execute: bind init.lxc.static into container

Serge Hallyn serge.hallyn at ubuntu.com
Fri May 30 21:39:46 UTC 2014 

Quoting Stéphane Graber (stgraber at ubuntu.com):
> On Mon, May 19, 2014 at 03:51:28PM +0000, Serge Hallyn wrote:
> > Quoting Stéphane Graber (stgraber at ubuntu.com):
> > > On Mon, May 12, 2014 at 06:04:00PM +0000, Serge Hallyn wrote:
> > > > Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
> > > 
> > > So one concern here is that SBINDIR may be pretty much anything and may
> > > look pretty awkward in the container, can we have the bind-mount be done
> > > with say /lxc.init.static instead and only be done in the last resort
> > > case where an existing init couldn't be found?
> > 
> > Sure, that sounds good.
> 
> Your new patch does put it in /lxc.init.static but still appears to do
> it in all cases (even if it ends up unused). I'd really prefer we only
> do the bind-mount if we can't detect a suitable init in the rootfs and
> also remove the bind-mounted file from the rootfs on exit (at least in
> the non-error path).

We actually can't *easily* do this right now.  The rootfs is mounted only
from the task which becomes the container init.  So once the container
exits, the rootfs not available to us.

We also don't know from the parent (without sending the information back)
whether we bind-mounted the init.  So if this is worth it to us, then we
would have to always re-mount the rootfs (in a new namespace for safety)
just to remove the file.

I think having this file sitting around is a price worth paying for not
having to install liblxc in the container.

So if there are no other objections to the set, I'll push this set on monday.

> I'd really like us to make sure that when you use lxc, either for a full
> fledged container or just for an application container that the rootfs
> is restored to the way it was when the container exits. That means
> removing the bind-mount target in this case, restoring the original
> tty/console nodes, ...
> 
> > 
> > > > ---
> > > >  src/lxc/conf.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > > >  1 file changed, 58 insertions(+)
> > > > 
> > > > diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> > > > index 7427a94..0580f46 100644
> > > > --- a/src/lxc/conf.c
> > > > +++ b/src/lxc/conf.c
> > > > @@ -3811,6 +3811,61 @@ static void remount_all_slave(void)
> > > >  		free(line);
> > > >  }
> > > >  
> > > > +void lxc_execute_bind_init(struct lxc_conf *conf)
> > > > +{
> > > > +	int ret;
> > > > +	char path[PATH_MAX], destpath[PATH_MAX];
> > > > +
> > > > +	ret = snprintf(path, PATH_MAX, SBINDIR "/init.lxc.static");
> > > > +	if (ret < 0 || ret >= PATH_MAX) {
> > > > +		WARN("Path name too long searching for lxc.init.static");
> > > > +		return;
> > > > +	}
> > > > +
> > > > +	if (!file_exists(path)) {
> > > > +		INFO("%s does not exist on host", path);
> > > > +		return;
> > > > +	}
> > > > +
> > > > +	ret = snprintf(destpath, PATH_MAX, "%s%s", conf->rootfs.mount, path);
> > > > +	if (ret < 0 || ret >= PATH_MAX) {
> > > > +		WARN("Path name too long for container's lxc.init.static");
> > > > +		return;
> > > > +	}
> > > > +
> > > > +	if (!file_exists(destpath)) {
> > > > +		FILE *pathfile;
> > > > +		char *pathdirname = strdup(path);
> > > > +
> > > > +		if (!pathdirname) {
> > > > +			SYSERROR("Out of memory binding lxc.init.static into container");
> > > > +			return;
> > > > +		}
> > > > +		pathdirname = dirname(pathdirname);
> > > > +		ret = mkdir_p(pathdirname, 0755);
> > > > +		free(pathdirname);
> > > > +		if (ret < 0) {
> > > > +			/*
> > > > +			 * this can fail just due to read-only bind mounts.  Trust
> > > > +			 * that the user knows what they want, log and proceed
> > > > +			 */
> > > > +			WARN("Failed to create %s in container", SBINDIR);
> > > > +			return;
> > > > +		}
> > > > +		pathfile = fopen(destpath, "wb");
> > > > +		if (!pathfile) {
> > > > +			SYSERROR("Failed to create mount target '%s'", destpath);
> > > > +			return;
> > > > +		}
> > > > +		fclose(pathfile);
> > > > +	}
> > > > +
> > > > +	ret = mount(path, destpath, "none", MS_BIND, NULL);
> > > > +	if (ret < 0)
> > > > +		SYSERROR("Failed to bind lxc.init.static into container");
> > > > +	INFO("lxc.init.static bound into container at %s", path);
> > > > +}
> > > > +
> > > >  int lxc_setup(struct lxc_handler *handler)
> > > >  {
> > > >  	const char *name = handler->name;
> > > > @@ -3878,6 +3933,9 @@ int lxc_setup(struct lxc_handler *handler)
> > > >  		return -1;
> > > >  	}
> > > >  
> > > > +	if (lxc_conf->is_execute)
> > > > +		lxc_execute_bind_init(lxc_conf);
> > > > +
> > > >  	/* now mount only cgroup, if wanted;
> > > >  	 * before, /sys could not have been mounted
> > > >  	 * (is either mounted automatically or via fstab entries)
> > > > -- 
> > > > 1.9.1
> > > > 
> > > > _______________________________________________
> > > > lxc-devel mailing list
> > > > lxc-devel at lists.linuxcontainers.org
> > > > http://lists.linuxcontainers.org/listinfo/lxc-devel
> > > 
> > > -- 
> > > Stéphane Graber
> > > Ubuntu developer
> > > http://www.ubuntu.com
> > 
> > 
> > 
> > > _______________________________________________
> > > lxc-devel mailing list
> > > lxc-devel at lists.linuxcontainers.org
> > > http://lists.linuxcontainers.org/listinfo/lxc-devel
> > 
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
> 
> -- 
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com



> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

More information about the lxc-devel mailing list