[Bug 1648056] Re: Support LXD multiple sub-uid mapping
james.page at ubuntu.com
Wed Feb 8 12:27:09 UTC 2017
Just to ensure complete transparency here; the LXD in yakkety does not
support container isolation; the LXD team provide backports of newer
stable LXD versions to all supported Ubuntu versions - so I
a) Tested with yakkety LXD
Driver correctly identified that the backend LXD did not support
isolation and rejected the scheduling request.
b) Tested on yakkety with the LXD stable PPA (LXD 2.8)
Driver detected the feature and isolated LXD containers as detailed in
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
Support LXD multiple sub-uid mapping
Status in OpenStack LXD Charm:
Status in Ubuntu Cloud Archive:
Status in Ubuntu Cloud Archive mitaka series:
Status in Ubuntu Cloud Archive newton series:
Status in Ubuntu Cloud Archive ocata series:
Status in nova-lxd:
Status in nova-lxd package in Ubuntu:
Status in nova-lxd source package in Xenial:
Status in nova-lxd source package in Yakkety:
Status in nova-lxd source package in Zesty:
By default, all LXD containers will run with the same subuid/subgid range, which means that if a single container is compromised, all containers on the same host are potentially compromised as well.
deploy a nova-lxd based openstack cloud
boot multiple instances
they all share the same uid/gid mapping within a host
boot multiple instances with a flavor property of lxd:isolated
all containers have different uid/gid mappings within a host
Minimal in nova-lxd itself; we're just adding an additional extra-spec and tweaking the container profile if the underlying LXD daemon supports the isolation feature.
[Original Bug Report]
LXD 2.0.6 supports use of distinct sub-uid/gid for each running container; nova-lxd has support for this upstream in all stable and master branches so we should update nova-lxd in >= Xenial to support this feature.
To manage notifications about this bug go to:
More information about the Ubuntu-openstack-bugs