Quoting Benjamin Kiessling (mittages...@l.unchti.me): > Hi, > > > That's still doable, just a bit more work. Take a look at > > > > ls -l /dev/lxc > > > > (or whatever is the vg you're looking at). It has symlinks to the real > > devices. When you look at the link targets, you can find their maj:min. > > For me, > > > > serge@sergelap:~$ ls -l /dev/lxc > > total 0 > > lrwxrwxrwx 1 root root 7 2011-05-13 17:26 build1 -> ../dm-1 > > lrwxrwxrwx 1 root root 7 2011-05-13 17:26 delme -> ../dm-4 > > lrwxrwxrwx 1 root root 7 2011-05-13 17:26 nattylvm -> ../dm-0 > > serge@sergelap:~$ ls -l /dev/dm-1 > > brw-rw---- 1 root disk 252, 1 2011-05-13 17:26 /dev/dm-1 > > > > So if I only wanted /dev/lxc/build1 to be available to container nattylvm, > > then in it's config I would keep the existing lxc.cgroup.devices entries, > > and add > > > > lxc.cgroup.devices.allow = b 252:1 rwm > > > > To actually give the container access to the vg so it can create LVM > > devices, I'm afraid I don't know enough about how lvcreate to be sure. > > > > But here's my guess (based on a quick read of strace -f lvcreate output): > > > > Use a different physical partition for each container's pv, and give > > the container full access to that partition. Then pvscan/pvcreate > > will have access to the full drive, and all metadata is on there. > > vgscan/vgcreate and lvscan/lvcreate likewise I believe will then > > be able to create vgs and lvs on that partition. > > That's what I was basically trying to do (and doesn't work this way as far as > I > can see). Currently I'm granting access to specific /dev/dm-* files to the > container. For example: > /dev/dm-2 is the "partition"/logical volume of vm0 with maj:min 252:2. So I > set lxc.cgroup.devices.allow = b 252:2 rwm. In the container I create a > vg on /dev/dm-2 (works so far) with name vg-vm0. Then I create a logical > volume > on vg-vm0 in the container. This pseudo-fails as the container doesn't have > the rights to create any /dev/dm-* (or else an container could just create > /dev/dm-n > and access data on other logical volumes). On the host system the > corresponding > /dev/dm-7 of the new container lv has been created and I grant access to > create > the device node to the container: lxc.cgroup.devices.allow = b 252:7 rwm. vm0 > is now able to create the device node and access the new lv. > So either users have to contact me each time they want to create a new logical > volume in their vm (so I can enable device node access) or they can create > arbitrary > /dev/dm-* nodes and access data from other users.
Ah yeah. Of course. I wonder if there is a not-too-hacky way that we could prealloc certain dm-N ranges to containers, and get those to be used at lvcreate. -serge ------------------------------------------------------------------------------ Achieve unprecedented app performance and reliability What every C/C++ and Fortran developer should know. Learn how Intel has extended the reach of its next-generation tools to help boost performance applications - inlcuding clusters. http://p.sf.net/sfu/intel-dev2devmay _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users