> I must admit the details aren't worked out, but the rough idea was > something like the following. On the host have a directory per > container, in which the socket is setup > > /var/lib/systemd/containerXXXX/ > > And bind '/var/lib/systemd/containerXXX' into the container in some > location, lets say '/var/lib/systemd/self/'. The idea is that if > systemd in the container now listens on > /var/lib/systemd/self/systemd.sock > that a process in the host can connect via > > /var/lib/systemd/containerXXXX/systemd.sock
This you can already do in current lxc - just add an entry in the form lxc.mount.entry = /var/lib/systemd/containerXXX var/lib/systemd/self none bind 0 0 to the lxc config file of your container. There's no need to change any code for that. (You have to make sure both directories exist, however.) OTOH, for the status updates I'm proposing, it's more LXC itself having some form of indication as to whether the container is currently really running, just booting or in the process of shutting down - that makes lxc-info much more useful. > I'm a little fuzzy on exactly how UNIX domain socket paths interact > wrt mount namespaces As long as you can see the socket, you can connect to it. If you bind-mount a directory, any socket you create inside the container will also appear on the host. What you can't do is just bind-mount a socket itself, since it already has to exist, which means that you can't bind to it and listen after that. The only tricky thing are UNIX domain sockets in the abstract namespace, i.e. the ones starting with a 0-byte in their name: They are tied to the network namespace, so you can *never* see an abstract UNIX socket from another namespace (unless you manage to pass around the fd in some way). But for sockets which are tied to a real object in the filesystem, this restriction doesn't apply. By the way, as a side-note for your idea for systemctl working from the outside: If you really want to isolate your container from the host, then you have to make sure that in can't DOS the host by filling up /var. This is not possible if you just bind-mount a socket/FIFO, but that doesn't work for your use-case, so you probably would want to mount a tmpfs with a *very* small quota to /var/lib/systemd/containerXXX (in the pre-start lxc hook for example) and then bind-mount that instead of part of a real file system that may be filled up. Regards, Christian ------------------------------------------------------------------------------ Got visibility? Most devs has no idea what their production app looks like. Find out how fast your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219671;13503038;y? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
