[lxc-users] Sharing abstract sockets inter-containers ?
Stewart Brodie
sbrodie at espial.com
Fri Mar 10 14:18:33 UTC 2017
Maxime Jourdan <raptorteak at gmail.com> wrote:
> Hello,
>
> One of the contained processes on my system exposes its communication
> interface via an abstract socket. This socket is of the AF_UNIX family,
> with the particularity of being accessible via a name rather than a socket
> file with a path. This socket obeys to the network namespace rules.
>
> Problem is that I need a few other containers to be able to connect to
> this socket. But at the same time, I require containers to have different
> network namespaces...
>
> Sharing regular AF_UNIX sockets was no big deal because I could just
> bind-mount the socket path into the various containers. But these
> abstract, pathless sockets are making it hard to share.
>
> A temporary solution has been to "whitelist" this specific socket name
> inside the kernel directly, right before the namespace equal check, but
> that's an ugly workaround.
>
> Any advice about elegantly sharing asbtract sockets between containers is
> gladly welcome :).
The main way that I can think of that is non-invasive with respect to the
kernel is to have a proxy process in the "server" container
that also has a filesystem based UNIX domain socket (that you can bind
mount, as usual) that your client can call to obtain a handle to the real
socket.
Your clients then send a request to the proxy for the socket handle. Your
proxy process can open and connect to the abstract the socket and then
returns the socket handle back to the caller using ancilliary data.
If you're not familiar with that, effectively, it's a way of doing a
cross-process dup() on a file descriptor. The key search terms you need
are: cmsg sendmsg recvmsg SCM_RIGHTS
--
Stewart Brodie
Senior Software Engineer
Espial UK
More information about the lxc-users
mailing list