[lxc-devel] device namespaces

[Michael J Coss]

My use case is for handling hotplug events.  I needed a way to say that 
when a hotplug event occurs which container should see the event.   
Underlying this is that devtmpfs represents the host, and not the 
containers view.  Ideally I would like to have a containerized devtmpfs 
instance.  Absent that, I ended up with manually creating/deleting nodes 
in the appropriate container's /dev.  To get the sequencing, and policy 
correct
1) we run a modified kernel to disable the broadcast of uevent into all 
network namespaces,
2) we run a user space daemon that listens to uevents, and applys policy 
for where messages need to go
3) forward the uevent message to the container for processing by the 
udevd running in the container
4) add controls for who can access what devices in a container in lxc.conf

A new kernel function needed to be added to effect passing the uevent 
message from userspace to a specific network namespace instance on a 
specific container.

These changes allow applications to connect to a running containers 
binding the local keyboard and mouse to the virtual screen of the 
application.  We run full desktops in our containers, with a standard X 
server.  A few scripts to handle binding of additional displays for 
tiling, and the container's udevd handles adding keyboard and mice, 
subsequently seen by the X server.

-- 
---Michael J Coss