[Bug 1648056] Re: Support LXD multiple sub-uid mapping

James Page james.page at ubuntu.com
Wed Feb 8 12:27:09 UTC 2017 

Just to ensure complete transparency here; the LXD in yakkety does not
support container isolation; the LXD team provide backports of newer
stable LXD versions to all supported Ubuntu versions - so I

a) Tested with yakkety LXD

Driver correctly identified that the backend LXD did not support
isolation and rejected the scheduling request.

b) Tested on yakkety with the LXD stable PPA (LXD 2.8)

Driver detected the feature and isolated LXD containers as detailed in
#21

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1648056

Title:
  Support LXD multiple sub-uid mapping

Status in OpenStack LXD Charm:
  Fix Released
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Fix Committed
Status in Ubuntu Cloud Archive newton series:
  Fix Committed
Status in Ubuntu Cloud Archive ocata series:
  Fix Released
Status in nova-lxd:
  Fix Released
Status in nova-lxd package in Ubuntu:
  Fix Released
Status in nova-lxd source package in Xenial:
  Fix Released
Status in nova-lxd source package in Yakkety:
  Fix Committed
Status in nova-lxd source package in Zesty:
  Fix Released

Bug description:
  [Impact]
  By default, all LXD containers will run with the same subuid/subgid range, which means that if a single container is compromised, all containers on the same host are potentially compromised as well.

  [Test Case]
  deploy a nova-lxd based openstack cloud
  boot multiple instances
  they all share the same uid/gid mapping within a host

  boot multiple instances with a flavor property of lxd:isolated
  all containers have different uid/gid mappings within a host

  [Regression Potential]
  Minimal in nova-lxd itself; we're just adding an additional extra-spec and tweaking the container profile if the underlying LXD daemon supports the isolation feature.

  [Original Bug Report]
  LXD 2.0.6 supports use of distinct sub-uid/gid for each running container; nova-lxd has support for this upstream in all stable and master branches so we should update nova-lxd in >= Xenial to support this feature.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-lxd/+bug/1648056/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list