[lxc-devel] devices and containers

Michael J Coss michael.coss at alcatel-lucent.com
Thu Nov 13 18:40:14 UTC 2014 

Sorry for the long delay in responding but we had a demo of our systems 
with outside analysts and it's been a long couple of weeks in preparing 
for the demo.  I'm looking forward to finding a set of common ground 
changes that could be pushed upstream to better support device use in 
containers.

So to clarify our approach, we are running unmodified Linux distro's 
with a full desktop environment in a container.  There are modifications 
to the host to be sure, but the container's themselves are straight out 
of the box distros.  Similar to Michael Warfield, we have created a 
private dev directory for each container in:

/etc/lxc/<container name>/dev

and use a local fstab to mount it on the containers /dev during lxc-start.

The key trick here was to force uevents to be processed only by the host 
first, and then forwarded to the appropriate container(s) based on 
system policy.  Our user space daemon, udevns, in addition to forwarding 
uevent messages, like udevd in older versions of Unix/Linux, actually 
manages the creation/deletion of device nodes in the container's /dev as 
it receives the uevents. The nodes are created, and the messages are 
forwarded to the specific container(s).  In addition, we specify what 
access is allowed to what devices in a given container via lxc.conf. 
Obviously udevns can create any device but we allow (and expect) for a 
container to run udevd and process uevents as it sees fit within the 
confines of the restrictions imposed in lxc.conf. Ideally, we should be 
adjusting the device restrictions on the fly to remove/add access in the 
container as these hotplug events occur but we don't do that at the 
moment.  So in our scenario, we start a container with a headless X 
session.  Adding the display and input devices (keyboard, and mouse) 
after startup.

Obviously sysfs is yet another can of worms.  Our solution is to run a 
FUSE and filter sysfs.  Right now the filter is a bit simplistic, in 
that it is only filtering 'uevent' files from view in the container.  
More filter/modifying needs be added to make it more of a container's 
view of the system, and not the host's.

I have finally gotten approval to open source the code that implements 
our udevns, and the kernel changes to support that.  I will be preparing 
that over the next few weeks.  I'm still working on getting the sysfs 
FUSE opened.

BR,
Michael J Coss

More information about the lxc-devel mailing list