[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] RFC [3/3]: Lock manager usage scenarios



> From: libvir-list-bounces redhat com
[mailto:libvir-list-bounces redhat com]
> On Behalf Of Daniel P. Berrange
...
> > Could containers make isolation exceptions for
> > - shared storage devices?
> > - shared /var/run/sync_manager/watchdog/ so that the system watchdog
> >   could monitor all sync_manager instances?
> 
> Yes, resources (files) from the primary OS can be exposed in the
> container on a case by case basis & potentially be visible inside
> many containers. If we did a full virtual chroot setup, then the
> container would only be able to see designated paths. It is also
> possible to hide the containers chroot heirarchy from the host
> completely. In any case, we can share paths between containers and
> the host as needed.
> 
> A process inside the container would not be able to see any processes
> outside the container. Processes outside can, however, see processes
> inside the container, but its view of the PIDs will be different.
> eg PID 1 inside the container may be PID 2345 outside.
> 
> The point I was trying to make, is that if the supervisor process
> wants to connect back to a central lock daemon directly this might
> run into trouble. If the supervisor process only needs to access
> file resources on disk, it should be fine.
[IH] how would Libvirt know to give security context to the leases area of
the VM? it would be a different implementation per lock manager (say, I'd
like to lock a row in a central remote db for this)?


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]