[lxc-devel] [RFC 0/5] stop hook with namespace access
Stéphane Graber
stgraber at ubuntu.com
Mon Sep 28 19:48:10 UTC 2015
Hi,
Please note that even though Serge acked most of this patchset, I won't
be pushing it until it's re-sent with all commits including the required
Signed-off-by line.
Thanks!
On Wed, Sep 23, 2015 at 04:12:05PM +0200, Wolfgang Bumiller wrote:
> As I mentioned in an earlier email (sorry it took a little longer as
> we were still going through some options), we'd like to have the
> possibility to deal with mountpoints after the container has stopped.
>
> This series adds an `lxc.hook.stop` option, and passes handles to the
> container namespaces to it. The hook is executed between the STOPPING
> and STOPPED states, which means the container processes are already
> gone, and to be able to access the mount namespace the preserve_ns
> function is used which opens the ns files. (They're closed in
> lxc_fini.)
>
> As for how they're passed to the hook: you might have a different
> idea about how to do that better. Currently they're passed as paths to
> the '/proc/*/fd' entry prefixed with their 'proc_name' (from ns_info).
> (I did think about just passing the numbers and disabling CLOEXEC, but
> that would mean stop-hooks are always forced to deal with them, even
> if someone doesn't care, otherwise they might be leaked to other
> processes.)
> Environment variables would also be a possibility.
> But this way the hook has the option to enter the namespaces by
> opening the filedescriptors of the lxc process itself.
>
> If you want the patches squashed/changed/... just say so. If you
> decide they're worth adding I'll happily supplement them with patches
> for the documentation (lxc.hook.stop man page entry).
>
> Here's again our use-case summarized: When migrating a container from
> one node to another, there's a chance that they might be accessing a
> network filesystem (eg we can have the root disk as an image file on
> an NFS share), and we need to know that the filesystems were unmounted
> successfully before starting the container on another node (as NFS may
> still be syncing, or worse: hanging due to a lost connection, which we
> want to catch and prevent the container from starting with a broken
> filesystem without user-intervention).
>
> Wolfgang Bumiller (5):
> start.c:preserve_ns: added pid parameter
> preserve container namespace
> added stop-hook entries
> run stop hook between STOPPING and STOPPED states
> pass namespace handles to the stop hook
>
> src/lxc/conf.c | 4 +++-
> src/lxc/conf.h | 2 +-
> src/lxc/confile.c | 3 +++
> src/lxc/start.c | 44 ++++++++++++++++++++++++++++++++++++++++----
> src/lxc/start.h | 1 +
> 5 files changed, 48 insertions(+), 6 deletions(-)
>
> --
> 2.1.4
>
>
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
--
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20150928/d983e632/attachment.sig>
More information about the lxc-devel
mailing list