[PATCH] procd: Adding support to detect Pantavisor Container Platform
Daniel Golle
daniel at makrotopia.org
Mon Mar 22 16:02:27 GMT 2021
On Mon, Mar 22, 2021 at 09:09:03PM +0530, Gaurav Pathak wrote:
> On Mon, Mar 22, 2021 at 11:53:35AM +0000, Daniel Golle wrote:
> > On Mon, Mar 22, 2021 at 05:00:06PM +0530, Gaurav Pathak wrote:
> > > On Mon, Mar 22, 2021 at 10:42:25AM +0000, Daniel Golle wrote:
> > > > On Mon, Mar 22, 2021 at 03:38:25PM +0530, Gaurav Pathak wrote:
> > > > > > I assume that if this is a custom downstream version then the change is
> > > > > > not applicable for merge into upstream owrt. please explain what "custom
> > > > > > version" means.
> > > > >
> > > > > Actually, we don't use a custom version of lxc, we use the upstream stable lxc.
> > > > > The reason for this patch is that the hardcoded mount of /dev prevents our way of usage of openwrt in containers.
> > > >
> > > > In that case I believe the best is to revert the patch which applies a
> > > > Pantavisor-specific hack to detect if running inside a container and
> > > > switch to a method which works for all users of LXC equally (like it
> > > > is has already been done for Docker, see container.h in procd sources).
> > > >
> > > We tried to use the existing implementation that is in is_container() without any modification,
> > > but the key difference is that we use a container to run a full system container rather than just a "normal" app container,
> > > the current logic is correct when we use openwrt as an app container in our lxc based pantavisor,
> > > but it will do too much for the containers on our system that are suppose to run like the "main OS", like our pv-root plaforms.
> >
> > The logic in container.h is made for exactly that (ie. full-system
> > container rather than App container). If you are using unmodified LXC
> > this should work without problems as LXC sets an environment variabel
> > (container=lxc) and we do detect the presence of that environment
> > variable in container.h.
> >
> > Hence the easiest way would be you just use that existing mechanism
> > (ie. just go with LXC defaults which do set that env variable) as that
> > would not require any Pantavisor-specific hacks in our codebase.
>
> I agree, but the thing is, we have a custom "init" called pantavisor, which is responsible for spawning different containers.
> We treat containers running at root level different than containers running at application level (fully privileged and unprivileged).
> We provide control to the platform inside container running at root level to become host OS (as main OS, OpenWRT in our case) but want
> the LXC to do the mounting and not the Platform itself. So, pantavisor (init) ignores "container=lxc" environment for the root (fully privileged)
> container but passes that environment to the containers running at application level.
>
Thank you for the detailed explenation. In this case, I think the
solution we have in place now and which detects the presence of the
'/pantavisor' file is probably the best we can do.
More information about the openwrt-devel
mailing list