Re: [libvirt] [RFC] [PATCH v3 2/6] add fuse support for libvirt lxc

于 2012年10月23日 23:37, Daniel P. Berrange 写道:
> On Thu, Oct 18, 2012 at 01:25:30PM +0800, Gao feng wrote:
>> 于 2012年10月16日 20:23, Daniel P. Berrange 写道:
>>> On Mon, Oct 08, 2012 at 08:43:28AM +0800, Gao feng wrote:
>>>> 于 2012年09月26日 02:37, Daniel P. Berrange 写道:
>>>>> On Tue, Sep 11, 2012 at 10:54:48AM +0800, Gao feng wrote:
>>>>>> this patch addes fuse support for libvirt lxc.
>>>>>> we can use fuse filesystem to generate sysinfo dynamically,
>>>>>> So we can isolate /proc/meminfo,cpuinfo and so on through
>>>>>> fuse filesystem.
>>>>>> we mount fuse filesystem for every container.the mount name
>>>>>> is Lxc-containename-fuse,mount point is
>>>>>> localstatedir/run/libvirt/lxc/containername.
>>>>>> Signed-off-by: Gao feng <gaofeng cn fujitsu com>
>>>>>> diff --git a/src/lxc/lxc_controller.c b/src/lxc/lxc_controller.c
>>>>>> index e5aea11..c5f4951 100644
>>>>>> --- a/src/lxc/lxc_controller.c
>>>>>> +++ b/src/lxc/lxc_controller.c
>>>>>> @@ -1657,6 +1659,14 @@ int main(int argc, char *argv[])
>>>>>>          }
>>>>>>      }
>>>>>> +    rc = virThreadCreate(&thread, true, lxcRegisterFuse,
>>>>>> +                         (void *)ctrl->def);
>>>>>> +    if (rc < 0) {
>>>>>> +        virReportSystemError(-rc, "%s",
>>>>>> +                             _("Create Fuse filesystem failed"));
>>>>>> +        goto cleanup;
>>>>>> +    }
>>>>>> +
>>>>> This is the wrong place to start FUSE. At this point the LXC
>>>>> controller is still sharing its mount namespace with the host
>>>>> OS. This causes the FUSE mount for each container to become
>>>>> visible in the host, which is not what we want.
>>>> sorry for the delay.
>>>> I think it's correct,because host can see container's meminfo
>>>> through cgroup too.NOW the container's cgroup can be seen and
>>>> modified in container too,I don't know why this is necessary?
>>> The key point is that if you do 'cat /proc/mounts' with your
>>> current patch, you see all the LXC container FUSE mounts. These
>>> mounts should *not* be visible on the host. Only the libvirt_lxc
>>> process and the container itself shoudl see the mounts. This is
>>> why you must not start FUSE until after the unshare() call in
>>> libvirt_lxc. This also ensures that the FUSE mount is automatically
>>> destroyed when libvirt_lxc dies, without you needing to unregister
>>> or unmount it.
>> If we start FUSE after the unshare() call in libvirt_lxc,the fuse will
>> work in container's environment. and the cgroup is set in the host.
>> Can we get host's information in container? I think this is incorrect.
> The 'libvirt_lxc' process is not actually running inside the container.
> It is running in the host context, but with a slightly customized
> filesystem mount namespace, so that it can view /dev from both the
> host and container at once.

Yes,you are right,I will change this patchset.
There are some strange error when I start FUSE after unshare(),
So I need some time to resolve these things.

>> I regard the FUSE as a service on host,it provides host's cgroup info
>> for the container.
> Yes it is a host service, but that is exactly what libvirt_lxc is. All I
> am saying is that we must not pollute the host OS' mount table - keep the
> mounts hidden in the libvirt_lxc process & container processes only.

Get it,thanks for teaching me this. :)

