Our devices were being created from the parent of container's init, because we need to be still outside container context to do it. However, this creates quite an annoyance, because those bind mounts will show up in the host /proc/mounts.
Turns out, we don't really need to do it from the root side. We can do it from the container side provided we do it before we chroot - and then the host side fs is still visible. The fact that we join a mount namespace will act to keep those mounts totally private, and exempt us from cleaning it up. Signed-off-by: Glauber Costa <glom...@openvz.org> --- src/lib/hooks_ct.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/lib/hooks_ct.c b/src/lib/hooks_ct.c index daa85ed..7bc9814 100644 --- a/src/lib/hooks_ct.c +++ b/src/lib/hooks_ct.c @@ -306,6 +306,10 @@ static int _env_create(void *data) */ close(arg->userns_p); + if (arg->h->can_join_userns) { + create_devices(arg->h, arg->veid, arg->res->fs.root); + } + ret = ct_chroot(arg->res->fs.root); /* Probably means chroot failed */ if (ret) @@ -438,10 +442,6 @@ static int ct_env_create(struct arg_start *arg) } arg->userns_p = userns_p[0]; - if (arg->h->can_join_userns) { - create_devices(arg->h, arg->veid, arg->res->fs.root); - } - ret = clone(_env_create, child_stack, clone_flags, arg); close(userns_p[0]); if (ret < 0) { -- 1.7.11.7 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel