[lxc-devel] [RFC 0/5] stop hook with namespace access
Wolfgang Bumiller
w.bumiller at proxmox.com
Wed Sep 23 14:12:05 UTC 2015
As I mentioned in an earlier email (sorry it took a little longer as
we were still going through some options), we'd like to have the
possibility to deal with mountpoints after the container has stopped.
This series adds an `lxc.hook.stop` option, and passes handles to the
container namespaces to it. The hook is executed between the STOPPING
and STOPPED states, which means the container processes are already
gone, and to be able to access the mount namespace the preserve_ns
function is used which opens the ns files. (They're closed in
lxc_fini.)
As for how they're passed to the hook: you might have a different
idea about how to do that better. Currently they're passed as paths to
the '/proc/*/fd' entry prefixed with their 'proc_name' (from ns_info).
(I did think about just passing the numbers and disabling CLOEXEC, but
that would mean stop-hooks are always forced to deal with them, even
if someone doesn't care, otherwise they might be leaked to other
processes.)
Environment variables would also be a possibility.
But this way the hook has the option to enter the namespaces by
opening the filedescriptors of the lxc process itself.
If you want the patches squashed/changed/... just say so. If you
decide they're worth adding I'll happily supplement them with patches
for the documentation (lxc.hook.stop man page entry).
Here's again our use-case summarized: When migrating a container from
one node to another, there's a chance that they might be accessing a
network filesystem (eg we can have the root disk as an image file on
an NFS share), and we need to know that the filesystems were unmounted
successfully before starting the container on another node (as NFS may
still be syncing, or worse: hanging due to a lost connection, which we
want to catch and prevent the container from starting with a broken
filesystem without user-intervention).
Wolfgang Bumiller (5):
start.c:preserve_ns: added pid parameter
preserve container namespace
added stop-hook entries
run stop hook between STOPPING and STOPPED states
pass namespace handles to the stop hook
src/lxc/conf.c | 4 +++-
src/lxc/conf.h | 2 +-
src/lxc/confile.c | 3 +++
src/lxc/start.c | 44 ++++++++++++++++++++++++++++++++++++++++----
src/lxc/start.h | 1 +
5 files changed, 48 insertions(+), 6 deletions(-)
--
2.1.4
More information about the lxc-devel
mailing list