Maxime Jourdan <raptort...@gmail.com> wrote: > Hello, > > One of the contained processes on my system exposes its communication > interface via an abstract socket. This socket is of the AF_UNIX family, > with the particularity of being accessible via a name rather than a socket > file with a path. This socket obeys to the network namespace rules. > > Problem is that I need a few other containers to be able to connect to > this socket. But at the same time, I require containers to have different > network namespaces... > > Sharing regular AF_UNIX sockets was no big deal because I could just > bind-mount the socket path into the various containers. But these > abstract, pathless sockets are making it hard to share. > > A temporary solution has been to "whitelist" this specific socket name > inside the kernel directly, right before the namespace equal check, but > that's an ugly workaround. > > Any advice about elegantly sharing asbtract sockets between containers is > gladly welcome :).
The main way that I can think of that is non-invasive with respect to the kernel is to have a proxy process in the "server" container that also has a filesystem based UNIX domain socket (that you can bind mount, as usual) that your client can call to obtain a handle to the real socket. Your clients then send a request to the proxy for the socket handle. Your proxy process can open and connect to the abstract the socket and then returns the socket handle back to the caller using ancilliary data. If you're not familiar with that, effectively, it's a way of doing a cross-process dup() on a file descriptor. The key search terms you need are: cmsg sendmsg recvmsg SCM_RIGHTS -- Stewart Brodie Senior Software Engineer Espial UK _______________________________________________ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
