On Mon, Jun 10, 2013 at 09:07:08AM +0800, Gao feng wrote:> On 06/09/2013 08:14 PM, pr.G wrote: > > Hello. > > > > Is it possible to start container via libvirt_lxc without mounting /sys > > inside container? > > > > When I start container via lxc-start and do not add mount point to config, > > then /sys inside container is empty. > > > > When I do it via virsh -c lxc:// container.xml, then > > /sys contains sysfs of the host and /sys on host becomes remounting read-only. > > how can it be true? Can you post your /proc/mounts on host and container? > > > > > Am I doing something wrong or is this feature of libvirt_lxc? > > > > Absolutely it's not a feature. > > Thanks! >Thanks for the quick reply. I was surprised too. I didn't post /proc/mounts to container. libvirt_lxc did it for me. I read http://libvirt.org/drvlxc.html about Filesystem mounts: " In the absence of any explicit configuration, the container will inherit the host OS filesystem mounts. A number of mount points will be made read only, or re-mounted with new instances to provide container specific data. The following special mounts are setup by libvirt * /dev a new "tmpfs" pre-populated with authorized device nodes * /dev/pts a new private "devpts" instance for console devices * /sys the host "sysfs" instance remounted read-only * /proc a new instance of the "proc" filesystem * /proc/sys the host "/proc/sys" bind-mounted read-only * /sys/fs/selinux the host "selinux" instance remounted read-only * /sys/fs/cgroup/NNNN the host cgroups controllers bind-mounted to * only expose the sub-tree associated with the container * /proc/meminfo a FUSE backed file reflecting memory limits of the * container " Can I disable this behavior? How do I specify an explicit configuration? Thanks. my container.xml: (The entire xml file is shown in the my original post)> ... > <devices> > <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> > <filesystem type='mount'> > <source dir='/var/lxc/ns1/rootfs'/> > <target dir='/'/> > </filesystem> > ... > </device> > ...> > Thanks. > > > > root@host:~# uname -a > > Linux host 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2+deb7u2 x86_64 GNU/Linux > > > > root@host:~# cat /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 7.0 (wheezy)" > > ... > > > > root@host:~# dpkg -l | grep libvirt > > ii libvirt-bin 0.9.12-11 amd64 programs for the libvirt library > > ii libvirt0 0.9.12-11 amd64 library for interfacing with different virtualization systems > > > > > > container.xml: > > <domain type='lxc'> > > <name>ns1</name> > > <memory>524288</memory> > > <os> > > <type>exe</type> > > <init>/sbin/init</init> > > </os> > > <vcpu>1</vcpu> > > <clock offset='utc'/> > > <on_poweroff>destroy</on_poweroff> > > <on_reboot>restart</on_reboot> > > <on_crash>destroy</on_crash> > > <devices> > > <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> > > <filesystem type='mount'> > > <source dir='/var/lxc/ns1/rootfs'/> > > <target dir='/'/> > > </filesystem> > > <interface type='bridge'> > > <source bridge='br0'/> > > <mac address='52:54:00:de:74:06'/> > > </interface> > > <console type='pty' /> > > </devices> > > </domain> > > > > > > _______________________________________________ > > libvirt-users mailing list > > libvirt-users@redhat.com > > https://www.redhat.com/mailman/listinfo/libvirt-users > > >
On Mon, Jun 10, 2013 at 09:29:32AM +0400, свящ. Георгий Гольцов wrote:> On Mon, Jun 10, 2013 at 09:07:08AM +0800, Gao feng wrote: > > On 06/09/2013 08:14 PM, pr.G wrote: > > > Hello. > > > > > > Is it possible to start container via libvirt_lxc without mounting /sys > > > inside container? > > > > > > When I start container via lxc-start and do not add mount point to config, > > > then /sys inside container is empty. > > > > > > When I do it via virsh -c lxc:// container.xml, then > > > /sys contains sysfs of the host and /sys on host becomes remounting read-only. > > > > how can it be true? Can you post your /proc/mounts on host and container? > > > > > > > > Am I doing something wrong or is this feature of libvirt_lxc? > > > > > > > Absolutely it's not a feature. > > > > Thanks! > >Thanks for the quick reply. I was surprised too. I didn't post /proc/mounts to container. libvirt_lxc did it for me. I read http://libvirt.org/drvlxc.html about Filesystem mounts: " In the absence of any explicit configuration, the container will inherit the host OS filesystem mounts. A number of mount points will be made read only, or re-mounted with new instances to provide container specific data. The following special mounts are setup by libvirt * /dev a new "tmpfs" pre-populated with authorized device nodes * /dev/pts a new private "devpts" instance for console devices * /sys the host "sysfs" instance remounted read-only * /proc a new instance of the "proc" filesystem * /proc/sys the host "/proc/sys" bind-mounted read-only * /sys/fs/selinux the host "selinux" instance remounted read-only * /sys/fs/cgroup/NNNN the host cgroups controllers bind-mounted to * only expose the sub-tree associated with the container * /proc/meminfo a FUSE backed file reflecting memory limits of the * container " Can I disable this behavior? How do I specify an explicit configuration? Thanks. my container.xml: (The entire xml file is shown in the my original post)> ... > <devices> > <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> > <filesystem type='mount'> > <source dir='/var/lxc/ns1/rootfs'/> > <target dir='/'/> > </filesystem> > ... > </device> > ... > > > > > Thanks. > > > > > > root@host:~# uname -a > > > Linux host 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2+deb7u2 x86_64 GNU/Linux > > > > > > root@host:~# cat /etc/os-release > > > PRETTY_NAME="Debian GNU/Linux 7.0 (wheezy)" > > > ... > > > > > > root@host:~# dpkg -l | grep libvirt > > > ii libvirt-bin 0.9.12-11 amd64 programs for the libvirt library > > > ii libvirt0 0.9.12-11 amd64 library for interfacing with different virtualization systems > > > > > > > > > container.xml: > > > <domain type='lxc'> > > > <name>ns1</name> > > > <memory>524288</memory> > > > <os> > > > <type>exe</type> > > > <init>/sbin/init</init> > > > </os> > > > <vcpu>1</vcpu> > > > <clock offset='utc'/> > > > <on_poweroff>destroy</on_poweroff> > > > <on_reboot>restart</on_reboot> > > > <on_crash>destroy</on_crash> > > > <devices> > > > <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> > > > <filesystem type='mount'> > > > <source dir='/var/lxc/ns1/rootfs'/> > > > <target dir='/'/> > > > </filesystem> > > > <interface type='bridge'> > > > <source bridge='br0'/> > > > <mac address='52:54:00:de:74:06'/> > > > </interface> > > > <console type='pty' /> > > > </devices> > > > </domain> > > > > > > > > > _______________________________________________ > > > libvirt-users mailing list > > > libvirt-users@redhat.com > > > https://www.redhat.com/mailman/listinfo/libvirt-users > > > > >
On 06/10/2013 01:41 PM, pr.G wrote:> On Mon, Jun 10, 2013 at 09:29:32AM +0400, свящ. Георгий Гольцов wrote: >> On Mon, Jun 10, 2013 at 09:07:08AM +0800, Gao feng wrote: >>> On 06/09/2013 08:14 PM, pr.G wrote: >>>> Hello. >>>> >>>> Is it possible to start container via libvirt_lxc without mounting /sys >>>> inside container? >>>> >>>> When I start container via lxc-start and do not add mount point to config, >>>> then /sys inside container is empty. >>>> >>>> When I do it via virsh -c lxc:// container.xml, then >>>> /sys contains sysfs of the host and /sys on host becomes remounting read-only. >>> >>> how can it be true? Can you post your /proc/mounts on host and container? >>> >>>> >>>> Am I doing something wrong or is this feature of libvirt_lxc? >>>> >>> >>> Absolutely it's not a feature. >>> >>> Thanks! >>> > Thanks for the quick reply. > I was surprised too. I didn't post /proc/mounts to container.I mean show the /proc/mounts of container and host in container: cat /proc/mounts [root@Donkey /]# cat /proc/mounts rootfs / rootfs rw 0 0 devpts /dev/pts devpts rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666 0 0 devfs /dev tmpfs rw,nosuid,relatime,size=64k,mode=755 0 0 /dev/sdb2 / ext4 rw,relatime,data=ordered 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 proc /proc/sys proc ro,relatime 0 0 sysfs /sys sysfs ro,relatime 0 0 libvirt /proc/meminfo fuse rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0 tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec,relatime,size=64k,mode=755,uid=1000,gid=1000 0 0 cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0 cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0 cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0 cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0 cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0 cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0 cgroup /sys/fs/cgroup/net_cls cgroup rw,nosuid,nodev,noexec,relatime,net_cls 0 0 cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0 devpts /dev/ptmx devpts rw,nosuid,relatime,gid=5,mode=620,ptmxmode=666 0 0 and in host [root@Donkey libvirt]# cat /proc/mounts rootfs / rootfs rw 0 0 proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0 sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0 devtmpfs /dev devtmpfs rw,nosuid,size=5081344k,nr_inodes=1270336,mode=755 0 0 securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0 tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0 devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0 tmpfs /run tmpfs rw,nosuid,nodev,mode=755 0 0 tmpfs /sys/fs/cgroup tmpfs rw,nosuid,nodev,noexec,mode=755 0 0 cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,release_agent=/usr/lib/systemd/systemd-cgroups-agent,name=systemd 0 0 pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0 cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0 cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpuacct,cpu 0 0 cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0 cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0 cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0 cgroup /sys/fs/cgroup/net_cls cgroup rw,nosuid,nodev,noexec,relatime,net_cls 0 0 cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0 cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0 cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0 ....> libvirt_lxc did it for me. > I read http://libvirt.org/drvlxc.html about Filesystem mounts: > " > In the absence of any explicit configuration, the container will > inherit the host OS filesystem mounts. A number of mount points will be > made read only, or re-mounted with new instances to provide container > specific data. The following special mounts are setup by libvirt > > * /dev a new "tmpfs" pre-populated with authorized device nodes > * /dev/pts a new private "devpts" instance for console devices > * /sys the host "sysfs" instance remounted read-only > * /proc a new instance of the "proc" filesystem > * /proc/sys the host "/proc/sys" bind-mounted read-only > * /sys/fs/selinux the host "selinux" instance remounted read-only > * /sys/fs/cgroup/NNNN the host cgroups controllers bind-mounted to > * only expose the sub-tree associated with the container > * /proc/meminfo a FUSE backed file reflecting memory limits of the > * container > " > Can I disable this behavior? > How do I specify an explicit configuration?This can't be disabled and it's no need to disable this.> > my container.xml: (The entire xml file is shown in the my original post) >> ... >> <devices> >> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> >> <filesystem type='mount'> >> <source dir='/var/lxc/ns1/rootfs'/> >> <target dir='/'/> >> </filesystem> >> ... >> </device> >> ... >>Your configuration looks good, In container,the sysfs is mounted as read-only default. Since we don't want user in container to change some sysfs-configuration of host. Thanks Gao.>> >>>> Thanks. >>>> >>>> root@host:~# uname -a >>>> Linux host 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2+deb7u2 x86_64 GNU/Linux >>>> >>>> root@host:~# cat /etc/os-release >>>> PRETTY_NAME="Debian GNU/Linux 7.0 (wheezy)" >>>> ... >>>> >>>> root@host:~# dpkg -l | grep libvirt >>>> ii libvirt-bin 0.9.12-11 amd64 programs for the libvirt library >>>> ii libvirt0 0.9.12-11 amd64 library for interfacing with different virtualization systems >>>> >>>> >>>> container.xml: >>>> <domain type='lxc'> >>>> <name>ns1</name> >>>> <memory>524288</memory> >>>> <os> >>>> <type>exe</type> >>>> <init>/sbin/init</init> >>>> </os> >>>> <vcpu>1</vcpu> >>>> <clock offset='utc'/> >>>> <on_poweroff>destroy</on_poweroff> >>>> <on_reboot>restart</on_reboot> >>>> <on_crash>destroy</on_crash> >>>> <devices> >>>> <emulator>/usr/lib/libvirt/libvirt_lxc</emulator> >>>> <filesystem type='mount'> >>>> <source dir='/var/lxc/ns1/rootfs'/> >>>> <target dir='/'/> >>>> </filesystem> >>>> <interface type='bridge'> >>>> <source bridge='br0'/> >>>> <mac address='52:54:00:de:74:06'/> >>>> </interface> >>>> <console type='pty' /> >>>> </devices> >>>> </domain> >>>> >>>> >>>> _______________________________________________ >>>> libvirt-users mailing list >>>> libvirt-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/libvirt-users >>>> >>> >