[lxc-devel] LXCFS update problems
Serge Hallyn
serge.hallyn at ubuntu.com
Thu Nov 19 17:48:58 UTC 2015
Quoting Serge Hallyn (serge.hallyn at ubuntu.com):
> Quoting Dietmar Maurer (dietmar at proxmox.com):
> >
> >
> > > On November 19, 2015 at 4:46 PM Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
> > >
> > >
> > > Quoting Dietmar Maurer (dietmar at proxmox.com):
> > > > > Update the lxcfs package stop/restart the fuse filesystem. So this
> > > > > breaks all active containers.
> > > > >
> > > > > AFAIK restarting fuse without umount is not possible, so are there
> > > > > any other ideas how to solve that problem?
> > > >
> > > > The following lxcfs.service seems to behave much better:
> > > >
> > > > -------------------------------
> > > > [Unit]
> > > > Description=FUSE filesystem for LXC
> > > > ConditionVirtualization=!container
> > > > Before=lxc.service
> > > >
> > > > [Service]
> > > > ExecStart=/usr/bin/lxcfs -f -s -o allow_other /var/lib/lxcfs/
> > > > KillMode=none
> > > > Restart=on-failure
> > > > ExecStop=/bin/fusermount -u /var/lib/lxcfs
> > > >
> > > > [Install]
> > > > WantedBy=multi-user.target
> > > > ---------------------------------
> > > >
> > > > Because this does not kill a running lxcfs as long as there are references.
> > > > Would this have any drawbacks?
> > >
> > > I don't think so. At the least we'd need killmode to also umount -l
> > > /var/lib/lxcfs after killing the process,
> >
> > The idea is that fuse is stopped by the last umount (instead of killing the
> > process).
> > Note: we unmount with ExecStop
> >
> > > but that's not good enough,
> > > because even if lxcfs is cleanly restarted any running containers will
> > > not get the new lxcfs mount.
> >
> > But much better than the current behavior (and simple to implement)?
>
> Sorry, I should have proofread my reply. I combined several thoughts.
>
> In summary, I think yours is the best we can do - thanks! I intend to
> add that to the lxcfs package, and then hopefully put the init scripts
> into the git tree as well.
Hm, but in the case of security updates this is not what we want.
More information about the lxc-devel
mailing list