[PATCH] procd: Adding support to detect Pantavisor Container Platform
Gaurav Pathak
gaurav.pathak at pantacor.com
Mon Mar 22 15:39:03 GMT 2021
On Mon, Mar 22, 2021 at 11:53:35AM +0000, Daniel Golle wrote:
> On Mon, Mar 22, 2021 at 05:00:06PM +0530, Gaurav Pathak wrote:
> > On Mon, Mar 22, 2021 at 10:42:25AM +0000, Daniel Golle wrote:
> > > On Mon, Mar 22, 2021 at 03:38:25PM +0530, Gaurav Pathak wrote:
> > > > > I assume that if this is a custom downstream version then the change is
> > > > > not applicable for merge into upstream owrt. please explain what "custom
> > > > > version" means.
> > > >
> > > > Actually, we don't use a custom version of lxc, we use the upstream stable lxc.
> > > > The reason for this patch is that the hardcoded mount of /dev prevents our way of usage of openwrt in containers.
> > >
> > > In that case I believe the best is to revert the patch which applies a
> > > Pantavisor-specific hack to detect if running inside a container and
> > > switch to a method which works for all users of LXC equally (like it
> > > is has already been done for Docker, see container.h in procd sources).
> > >
> > We tried to use the existing implementation that is in is_container() without any modification,
> > but the key difference is that we use a container to run a full system container rather than just a "normal" app container,
> > the current logic is correct when we use openwrt as an app container in our lxc based pantavisor,
> > but it will do too much for the containers on our system that are suppose to run like the "main OS", like our pv-root plaforms.
>
> The logic in container.h is made for exactly that (ie. full-system
> container rather than App container). If you are using unmodified LXC
> this should work without problems as LXC sets an environment variabel
> (container=lxc) and we do detect the presence of that environment
> variable in container.h.
>
> Hence the easiest way would be you just use that existing mechanism
> (ie. just go with LXC defaults which do set that env variable) as that
> would not require any Pantavisor-specific hacks in our codebase.
I agree, but the thing is, we have a custom "init" called pantavisor, which is responsible for spawning different containers.
We treat containers running at root level different than containers running at application level (fully privileged and unprivileged).
We provide control to the platform inside container running at root level to become host OS (as main OS, OpenWRT in our case) but want
the LXC to do the mounting and not the Platform itself. So, pantavisor (init) ignores "container=lxc" environment for the root (fully privileged)
container but passes that environment to the containers running at application level.
More information about the openwrt-devel
mailing list