> On September 28, 2015 at 5:07 PM Serge Hallyn <serge.hal...@ubuntu.com> wrote: > > > Quoting Wolfgang Bumiller (w.bumil...@proxmox.com): > > No signed-off-by > > Note this will need a very good description in the documentation, > to explain that this will run as a child of the monitor in the > container's namespace, and iiuc with the container under > $rootfs. so it will want to umount under i.e. LXC_ROOTFS_MOUNT.
It runs in the monitor namespace with references to the container's namespace via filenames. AFAIK the container's filesystem isn't actually visible from there at that point, so LXC_ROOTFS_MOUNT would be empty? Running "inside" the container's namespace was what I originally had in mind when I first talked about this, but this doesn't really work. Simply because I can't exec() a host path inside the mount namespace of a container since it's not the same file or doesn't exist there. I could open() a handle first and use fexecve(), but then the container might lack the necessary libraries or the #!/interpreter. This, mostly, is why I prefixed it as RFC. I currently pass the namespace file descriptors as paths to $nsname:/proc/$monitorpid/fd/$number (in the patch you replied to about the asprintf() issue.) Eg. you get the arguments `mnt:/proc/123/fd/12 pid:/proc/123/fd/13 uts:/proc/123/fd/14 ipc:/proc/123/fd/15 net:/proc/123/fd/16` passed additionally to the regular hook arguments. _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel