Quoting Michael J Coss ([email protected]): > Sorry for the long delay in responding but we had a demo of our > systems with outside analysts and it's been a long couple of weeks > in preparing for the demo. I'm looking forward to finding a set of > common ground changes that could be pushed upstream to better > support device use in containers. > > So to clarify our approach, we are running unmodified Linux distro's > with a full desktop environment in a container. There are > modifications to the host to be sure, but the container's themselves > are straight out of the box distros. Similar to Michael Warfield, > we have created a private dev directory for each container in: > > /etc/lxc/<container name>/dev > > and use a local fstab to mount it on the containers /dev during lxc-start. > > The key trick here was to force uevents to be processed only by the > host first, and then forwarded to the appropriate container(s) based > on system policy. Our user space daemon, udevns, in addition to > forwarding uevent messages, like udevd in older versions of > Unix/Linux, actually manages the creation/deletion of device nodes > in the container's /dev as it receives the uevents. The nodes are > created, and the messages are forwarded to the specific > container(s). In addition, we specify what access is allowed to > what devices in a given container via lxc.conf. Obviously udevns can > create any device but we allow (and expect) for a container to run > udevd and process uevents as it sees fit within the confines of the > restrictions imposed in lxc.conf. Ideally, we should be adjusting > the device restrictions on the fly to remove/add access in the > container as these hotplug events occur but we don't do that at the > moment. So in our scenario, we start a container with a headless X > session. Adding the display and input devices (keyboard, and mouse) > after startup. > > Obviously sysfs is yet another can of worms. Our solution is to run > a FUSE and filter sysfs. Right now the filter is a bit simplistic, > in that it is only filtering 'uevent' files from view in the > container. More filter/modifying needs be added to make it more of > a container's view of the system, and not the host's. > > I have finally gotten approval to open source the code that > implements our udevns, and the kernel changes to support that. I > will be preparing that over the next few weeks. I'm still working > on getting the sysfs FUSE opened.
Awesome - thanks, Michael. Very much looking forward to seeing it. -serge _______________________________________________ lxc-devel mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-devel
