[Lxc-users] lxc-execute and isolation approaches
Vladimir
ml at foomx.de
Tue May 7 23:55:06 UTC 2013
On Mon, 6 May 2013 19:16:18 -0500
Serge Hallyn <serge.hallyn at ubuntu.com> wrote:
-Ben
> >
> > If I understood it correctly application container created via
> > lxc-execute don't have a rootfs like a "full" container has. Also I
> > don't see it under /var/lib/lxc...
>
> What would you expect to see under /var/lib/lxc?
>
> > In the example you see that afer I still can see and access the
> > file /tmp/foo. Further on in the container I just could type
> > "reboot" and the host system would reboot.
>
> You haven't defined a network, so your container is using the host's
> network. You haven't defined a private /dev, so you're using the
> host's /dev. If you're using sysvinit or systemd, you can reboot
> bc you can talk to /dev/initctl. If upstart, you are talking to
> the host's upstart over an abstract unix socket.
>
> > root at server:~
> > #> touch /tmp/foo
> > root at server:~
> > #> ls -l /tmp/foo
> > -rw------- 1 root root 0 2013-05-05 22:27 /tmp/foo
> > root at server:~
> > #> lxc-execute -n testcase -f lxc.conf /bin/bash
> > root at testcase:~
> > #> ls -l /tmp/foo
> > -rw------- 1 root root 0 2013-05-05 22:27 /tmp/foo
>
> If you mount --bind /tmp /mnt, you'll see that that is not reflected
> on the host. You have a private mount table, that is all.
Thanks. That helped me to understand it a little better. My goal is to
start multiple instances of nginx via lxc-execute. Each instance has
its own doc_root under /doc_root/user1, /doc_root/user2, ... I don't
need a full container with a entire package set. I would like to avoid,
that user1 in container1 can see/access the content of /doc_root/user2
in container2. Maybe I can achive that with lxc.mount.entry.
More information about the lxc-users
mailing list