[lxc-devel] [RFC 0/5] stop hook with namespace access
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Sep 28 20:05:18 UTC 2015
So long as there are no other changes, please add my Acked-by
when you add your Signed-off-by (to the ones I acked)
Quoting Stéphane Graber (stgraber at ubuntu.com):
> Hi,
>
> Please note that even though Serge acked most of this patchset, I won't
> be pushing it until it's re-sent with all commits including the required
> Signed-off-by line.
>
> Thanks!
>
> On Wed, Sep 23, 2015 at 04:12:05PM +0200, Wolfgang Bumiller wrote:
> > As I mentioned in an earlier email (sorry it took a little longer as
> > we were still going through some options), we'd like to have the
> > possibility to deal with mountpoints after the container has stopped.
> >
> > This series adds an `lxc.hook.stop` option, and passes handles to the
> > container namespaces to it. The hook is executed between the STOPPING
> > and STOPPED states, which means the container processes are already
> > gone, and to be able to access the mount namespace the preserve_ns
> > function is used which opens the ns files. (They're closed in
> > lxc_fini.)
> >
> > As for how they're passed to the hook: you might have a different
> > idea about how to do that better. Currently they're passed as paths to
> > the '/proc/*/fd' entry prefixed with their 'proc_name' (from ns_info).
> > (I did think about just passing the numbers and disabling CLOEXEC, but
> > that would mean stop-hooks are always forced to deal with them, even
> > if someone doesn't care, otherwise they might be leaked to other
> > processes.)
> > Environment variables would also be a possibility.
> > But this way the hook has the option to enter the namespaces by
> > opening the filedescriptors of the lxc process itself.
> >
> > If you want the patches squashed/changed/... just say so. If you
> > decide they're worth adding I'll happily supplement them with patches
> > for the documentation (lxc.hook.stop man page entry).
> >
> > Here's again our use-case summarized: When migrating a container from
> > one node to another, there's a chance that they might be accessing a
> > network filesystem (eg we can have the root disk as an image file on
> > an NFS share), and we need to know that the filesystems were unmounted
> > successfully before starting the container on another node (as NFS may
> > still be syncing, or worse: hanging due to a lost connection, which we
> > want to catch and prevent the container from starting with a broken
> > filesystem without user-intervention).
> >
> > Wolfgang Bumiller (5):
> > start.c:preserve_ns: added pid parameter
> > preserve container namespace
> > added stop-hook entries
> > run stop hook between STOPPING and STOPPED states
> > pass namespace handles to the stop hook
> >
> > src/lxc/conf.c | 4 +++-
> > src/lxc/conf.h | 2 +-
> > src/lxc/confile.c | 3 +++
> > src/lxc/start.c | 44 ++++++++++++++++++++++++++++++++++++++++----
> > src/lxc/start.h | 1 +
> > 5 files changed, 48 insertions(+), 6 deletions(-)
> >
> > --
> > 2.1.4
> >
> >
> > _______________________________________________
> > lxc-devel mailing list
> > lxc-devel at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-devel
>
> --
> Stéphane Graber
> Ubuntu developer
> http://www.ubuntu.com
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel
More information about the lxc-devel
mailing list