Understanding lxcfs: Isolating /proc and /sys in Containers

lxcfs is a user‑space filesystem built on FUSE that isolates the /proc and /sys virtual files presented inside a container from the host, allowing commands like top and free to show container‑specific statistics.

The article explains the motivation, describes how lxcfs mounts a directory (e.g., /var/lib/lxcfs) and forwards file operations to the kernel via FUSE callbacks, and shows the main FUSE operation table used by lxcfs.

Key implementation details are illustrated with code snippets such as the constructor function that registers cgroup controllers, the read handler that dispatches to do_cg_read , do_proc_read or do_sys_read , and the logic for reading the cpuonline file from the host cgroup hierarchy.

static void __attribute__((constructor)) collect_and_mount_subsystems(void) {
    // ... initialization and mounting of cgroup controllers ...
}

static int lxcfs_read(const char *path, char *buf, size_t size, off_t offset, struct fuse_file_info *fi) {
    if (strncmp(path, "/cgroup", 7) == 0) {
        up_users();
        ret = do_cg_read(path, buf, size, offset, fi);
        down_users();
        return ret;
    }
    if (strncmp(path, "/proc", 5) == 0) {
        up_users();
        ret = do_proc_read(path, buf, size, offset, fi);
        down_users();
        return ret;
    }
    if (strncmp(path, "/sys", 4) == 0) {
        up_users();
        ret = do_sys_read(path, buf, size, offset, fi);
        down_users();
        return ret;
    }
    return -EINVAL;
}

The cpuonline implementation obtains the container’s cgroup, reads the CPU quota and period, determines the effective CPU count, and formats the result as "0‑N" where N is the visible CPUs.

int max_cpu_count(const char *cg) {
    int rv, nprocs;
    int64_t cfs_quota, cfs_period;
    // read quota and period from cpu.cfs_quota_us and cpu.cfs_period_us
    // compute rv = cfs_quota / cfs_period, adjust for remainder, limit by system CPUs
    return rv;
}

For load average, lxcfs runs a daemon that periodically scans each container’s task list, counts runnable tasks, updates exponential‑moving‑average values, and stores them in a hash table.

static int refresh_load(struct load_node *p, char *path) {
    // iterate over /proc/
/task directories
    // count tasks in state R or D
    // update p->avenrun[0..2] using calc_load()
    return sum;
}

The proc_loadavg_read function retrieves the cached values, formats them according to the /proc/loadavg convention, and falls back to the host file when the container’s cgroup cannot be resolved.

static int proc_loadavg_read(char *buf, size_t size, off_t offset, struct fuse_file_info *fi) {
    // look up container cgroup, locate node in hash table
    // if first read, create node and initialize values
    // format cached load averages into buf
    // handle offset/size logic
    return total_len;
}

Overall, the article provides a detailed walkthrough of how lxcfs achieves per‑container isolation of system metrics, which is essential for accurate monitoring and resource management in containerized environments.