How LXCFS Enables Accurate /proc Views in PouchContainer: A Deep Dive

PouchContainer is an Alibaba open‑source container runtime (latest version 0.3.0, source at https://github.com/alibaba/pouch). By default containers inherit the host’s /proc filesystem, so tools reading /proc/meminfo, /proc/cpuinfo, etc., see host‑level information, which breaks monitoring and resource‑aware applications.

Why LXCFS is needed

LXCFS (https://github.com/lxc/lxcfs) is an open‑source FUSE filesystem that provides per‑container /proc view isolation, making the container behave like a VM for tools that rely on /proc.

Monitoring tools such as Alibaba’s tsar (https://github.com/alibaba/tsar) read /proc/cpuinfo, /proc/meminfo, /proc/diskstats. When these tools run inside a container that still sees the host’s /proc, they cannot report container‑specific metrics, forcing rewrites.

Demonstration on Ubuntu

Running PouchContainer 0.3.0 on an Ubuntu VM without LXCFS shows that /proc files inside the container reflect host values, even when the container is limited to 50 MiB of memory:

# systemctl start pouch
# head -n 5 /proc/meminfo
MemTotal:        2039520 kB
MemFree:         203028 kB
MemAvailable:    777268 kB
Buffers:         239960 kB
Cached:          430972 kB
# cat /proc/uptime
2594341.81 2208722.33
# pouch run -m 50m -it registry.hub.docker.com/library/busybox:1.28
# head -n 5 /proc/meminfo
MemTotal:        2039520 kB   # still host total
MemFree:         189096 kB
...

After starting LXCFS and launching PouchContainer with the --enable-lxcfs flag, the same commands report container‑specific values:

# systemctl start lxcfs
# pouchd -D --enable-lxcfs --lxcfs /usr/bin/lxcfs &
# pouch run --enableLxcfs -it -m 50m registry.hub.docker.com/library/busybox:1.28
# head -n 5 /proc/meminfo
MemTotal:        51200 kB
MemFree:         50804 kB
MemAvailable:    50804 kB
Buffers:         0 kB
Cached:          4 kB
# cat /proc/uptime
10.00 10.00

Integrating LXCFS into PouchContainer

Since version 0.1.0, PouchContainer supports LXCFS. The integration mounts the host’s LXCFS export directory ( /var/lib/lxc/lxcfs/proc/…) into the container’s /proc tree using bind mounts. Essential mount options are:

-v /var/lib/lxc/:/var/lib/lxc/:shared
-v /var/lib/lxc/lxcfs/proc/uptime:/proc/uptime
-v /var/lib/lxc/lxcfs/proc/swaps:/proc/swaps
-v /var/lib/lxc/lxcfs/proc/stat:/proc/stat
-v /var/lib/lxc/lxcfs/proc/diskstats:/proc/diskstats
-v /var/lib/lxc/lxcfs/proc/meminfo:/proc/meminfo
-v /var/lib/lxc/lxcfs/proc/cpuinfo:/proc/cpuinfo

The pouch create and pouch run commands expose a short flag --enableLxcfs that automatically adds the required -v bind‑mounts.

Stability improvements

When LXCFS restarts, it recreates /proc and cgroup mounts, which can cause a “connect failed” error inside containers. A refinement (PR https://github.com/alibaba/pouch/pull/885) moves LXCFS management to systemd, adding an ExecStartPost step that remounts the filesystem and re‑mounts it inside all containers that use LXCFS, eliminating the error.

Conclusion

Supporting LXCFS gives PouchContainer per‑container /proc view isolation, eliminating the need to modify existing monitoring, deployment, or runtime tools when migrating workloads to containers. This accelerates the transition from traditional virtualization to container‑based architectures.