[lxc-users] docker in lxc

Maxim Patlasov mpatlasov at parallels.com
Fri Nov 6 22:20:01 UTC 2015


Hi Serge,

I had been working for a while on porting proxy-graphdriver-daemon to 
extpoint feature, but then switched to another task. I hope to switch 
back in a week. It would be great if we all together come to agreement 
about universal way to mount something from host to container namespace. 
The simplest way would be to specify the pid of container "init" as a 
command-line arg of proxy-daemon, so it could use the pid for setns(2) 
directly. Is such an approach safe enough and will work for all of us?

Thanks,
Maxim

On 11/06/2015 12:13 PM, Serge Hallyn wrote:
> Hey guys,
>
> sorry I tined out for a bit, but now I may have some time.  Have you guys
> been working at all together off-list?
>
> -serge
>
> Quoting Tamas Papp (tompos at martos.bme.hu):
>> Whooo. Thanks in advance, guys!
>>
>> I'm not a programmer, cannot work by myself on this, but look
>> forward the feature.
>> Please keep the list posted, I'm sure many of us are interested and
>> also willing to test the code.
>>
>> Cheers,
>> tamas
>>
>> On 10/16/2015 07:08 PM, Serge Hallyn wrote:
>>> Absolutely!  I've not actually started working on that.  (I hadn't noticed
>>> that the docker PR was merged)  Maxim (cc:d) is the one who is working on
>>> this at Odin - I think it'd be best if we can all work together.
>>>
>>> -serge
>>>
>>> Quoting Akshay Karle (akshay.a.karle at gmail.com):
>>>> Hey Serge,
>>>>
>>>> This is something I'm interested in as well. Anyway I could help with the
>>>> implementation of the graphdriver proxy?
>>>>
>>>> On Fri, Oct 16, 2015 at 12:10 PM Serge Hallyn <serge.hallyn at ubuntu.com>
>>>> wrote:
>>>>
>>>>> Quoting Tamas Papp (tompos at martos.bme.hu):
>>>>>> On 08/31/2015 03:59 PM, Serge Hallyn wrote:
>>>>>>> Quoting Tamas Papp (tompos at martos.bme.hu):
>>>>>>>> On 08/28/2015 03:48 PM, Serge Hallyn wrote:
>>>>>>>>> Quoting Tamas Papp (tompos at martos.bme.hu):
>>>>>>>>>> hi,
>>>>>>>>>>
>>>>>>>>>> I would like to achieve, what is in subject.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> However, I cannot get over on this apparmor issue:
>>>>>>>>>>
>>>>>>>>>> [7690496.246952] type=1400 audit(1440757904.938:1130):
>>>>>>>>>> apparmor="DENIED" operation="mount" info="failed flags match"
>>>>>>>>>> error=-13 profile="lxc-docker" name="/var/lib/docker/aufs/"
>>>>>>>>>> pid=32534 comm="docker" flags="rw, private"
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I read some post on various forums, that I need to run the lxc
>>>>>>>>>> container with unconfined profile.
>>>>>>>>>> Is still the case?
>>>>>>>>> Excellent, I've been wanting to bring this up here :)
>>>>>>>>>
>>>>>>>>> Maxim at Odin has been working on a proxy graphdriver for
>>>>>>>>> docker.  The PR is at
>>>>>>>>>
>>>>>>>>> https://github.com/docker/docker/pull/15594
>>>>>>>>>
>>>>>>>>> I'm hoping to test that today and see what else is still
>>>>>>>>> needed.  I would assume a custom apparmor policy will still
>>>>>>>>> be needed, but since the host is doing most of the mounting
>>>>>>>>> you should be able to avoid just being unconfined.
>>>>>>>> hi,
>>>>>>>>
>>>>>>>> For the first look it seems to be a big change, that requires a more
>>>>>>>> qualified one for testing.
>>>>>>>> Did you take a look?
>>>>>>> I've taken a look at the code but haven't built it yet.  (having
>>>>>>> some toolchain issues)
>>>>>> https://github.com/docker/docker/pull/13777
>>>>>>
>>>>>> This was merged, does it mean, that docker should be usable in LXC
>>>>> >from this point?
>>>>> Not exactly.  As you can see from the final comment in
>>>>>
>>>>> https://github.com/docker/docker/pull/15924
>>>>>
>>>>> it now means that we can write a graphdriver proxy.  The original
>>>>> openvz pull request would have been almost all we needed - allowing
>>>>> the graphdriver to talk over a unix socket to the host where the
>>>>> requested actions could be done.  The pull request which was accepted
>>>>> does less - only allowing you to implement your own proxy to talk to
>>>>> a service on the host.  (that service *also* needs to be written)
>>>>> _______________________________________________
>>>>> lxc-users mailing list
>>>>> lxc-users at lists.linuxcontainers.org
>>>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>>> _______________________________________________
>>>> lxc-users mailing list
>>>> lxc-users at lists.linuxcontainers.org
>>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>>> _______________________________________________
>>> lxc-users mailing list
>>> lxc-users at lists.linuxcontainers.org
>>> http://lists.linuxcontainers.org/listinfo/lxc-users
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users



More information about the lxc-users mailing list