On Mon, Mar 22, 2021 at 09:09:03PM +0530, Gaurav Pathak wrote: > On Mon, Mar 22, 2021 at 11:53:35AM +0000, Daniel Golle wrote: > > On Mon, Mar 22, 2021 at 05:00:06PM +0530, Gaurav Pathak wrote: > > > On Mon, Mar 22, 2021 at 10:42:25AM +0000, Daniel Golle wrote: > > > > On Mon, Mar 22, 2021 at 03:38:25PM +0530, Gaurav Pathak wrote: > > > > > > I assume that if this is a custom downstream version then the > > > > > change is > > > > > > not applicable for merge into upstream owrt. please explain > > > > > what "custom > > > > > > version" means. > > > > > > > > > > Actually, we don't use a custom version of lxc, we use the upstream > > > > > stable lxc. > > > > > The reason for this patch is that the hardcoded mount of /dev > > > > > prevents our way of usage of openwrt in containers. > > > > > > > > In that case I believe the best is to revert the patch which applies a > > > > Pantavisor-specific hack to detect if running inside a container and > > > > switch to a method which works for all users of LXC equally (like it > > > > is has already been done for Docker, see container.h in procd sources). > > > > > > > We tried to use the existing implementation that is in is_container() > > > without any modification, > > > but the key difference is that we use a container to run a full system > > > container rather than just a "normal" app container, > > > the current logic is correct when we use openwrt as an app container in > > > our lxc based pantavisor, > > > but it will do too much for the containers on our system that are suppose > > > to run like the "main OS", like our pv-root plaforms. > > > > The logic in container.h is made for exactly that (ie. full-system > > container rather than App container). If you are using unmodified LXC > > this should work without problems as LXC sets an environment variabel > > (container=lxc) and we do detect the presence of that environment > > variable in container.h. > > > > Hence the easiest way would be you just use that existing mechanism > > (ie. just go with LXC defaults which do set that env variable) as that > > would not require any Pantavisor-specific hacks in our codebase. > > I agree, but the thing is, we have a custom "init" called pantavisor, which > is responsible for spawning different containers. > We treat containers running at root level different than containers running > at application level (fully privileged and unprivileged). > We provide control to the platform inside container running at root level to > become host OS (as main OS, OpenWRT in our case) but want > the LXC to do the mounting and not the Platform itself. So, pantavisor (init) > ignores "container=lxc" environment for the root (fully privileged) > container but passes that environment to the containers running at > application level. >
Thank you for the detailed explenation. In this case, I think the solution we have in place now and which detects the presence of the '/pantavisor' file is probably the best we can do. _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel