[Lxc-users] LVM in LXC

Benjamin Kiessling mittagessen at l.unchti.me
Sat May 14 14:07:17 UTC 2011 

Hi,

> That's still doable, just a bit more work.  Take a look at
> 
> ls -l /dev/lxc
> 
> (or whatever is the vg you're looking at).  It has symlinks to the real
> devices.  When you look at the link targets, you can find their maj:min.
> For me,
> 
> serge at sergelap:~$ ls -l /dev/lxc
> total 0
> lrwxrwxrwx 1 root root 7 2011-05-13 17:26 build1 -> ../dm-1
> lrwxrwxrwx 1 root root 7 2011-05-13 17:26 delme -> ../dm-4
> lrwxrwxrwx 1 root root 7 2011-05-13 17:26 nattylvm -> ../dm-0
> serge at sergelap:~$ ls -l /dev/dm-1
> brw-rw---- 1 root disk 252, 1 2011-05-13 17:26 /dev/dm-1
> 
> So if I only wanted /dev/lxc/build1 to be available to container nattylvm,
> then in it's config I would keep the existing lxc.cgroup.devices entries,
> and add
> 
> lxc.cgroup.devices.allow = b 252:1 rwm
> 
> To actually give the container access to the vg so it can create LVM
> devices, I'm afraid I don't know enough about how lvcreate to be sure.
> 
> But here's my guess (based on a quick read of strace -f lvcreate output):
> 
> Use a different physical partition for each container's pv, and give
> the container full access to that partition.  Then pvscan/pvcreate
> will have access to the full drive, and all metadata is on there.
> vgscan/vgcreate and lvscan/lvcreate likewise I believe will then
> be able to create vgs and lvs on that partition.

That's what I was basically trying to do (and doesn't work this way as far as I
can see). Currently I'm granting access to specific /dev/dm-* files to the 
container. For example:
/dev/dm-2 is the "partition"/logical volume of vm0 with maj:min 252:2. So I
set lxc.cgroup.devices.allow = b 252:2 rwm. In the container I create a 
vg on /dev/dm-2 (works so far) with name vg-vm0. Then I create a logical volume
on vg-vm0 in the container. This pseudo-fails as the container doesn't have
the rights to create any /dev/dm-* (or else an container could just create /dev/dm-n
and access data on other logical volumes). On the host system the corresponding
/dev/dm-7 of the new container lv has been created and I grant access to create
the device node to the container: lxc.cgroup.devices.allow = b 252:7 rwm. vm0 
is now able to create the device node and access the new lv.
So either users have to contact me each time they want to create a new logical
volume in their vm (so I can enable device node access) or they can create arbitrary
/dev/dm-* nodes and access data from other users.

Regards,
Benjamin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20110514/a24036f6/attachment.pgp>

More information about the lxc-users mailing list