[Blueprint servercloud-q-lxc] Lxc work for Q
Serge Hallyn
serge.hallyn at ubuntu.com
Thu May 17 18:01:21 UTC 2012
Blueprint changed by Serge Hallyn:
Whiteboard changed:
- Topics:
- - apparmor: outlook for stacked profiles?
- - 12.10 work may be purely prep work in apparmor package/kernel
- - seccomp2
- - support for pre-start scripts (like initramfs)
- - support for config #includes (*1)
- - encrypted root fs support (*2)
- - switch to git back-end for UDD?
- - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests
- - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/<container>>/mount
- directory used instead of /usr/lib/lxc/)
- - lxc-debconf
- - multiarch fallout - move lxc-init to /sbin?
- - expiration of cached images
- - separate lxcinit (and lxclib) into separate packages?
- - lxc postinst, choose lxcbr0 address (for nesting containers)
- - kernel features:
- - cgroup fake root
- - devices namespace, syslog namespace
- - user namespace (if ready - but likely 13.04 work)
- - lxc apport info
- - hook the high level testsuite up to a jenkins instance
- - support for fedora 17 templates (just needs to be done)
- - Make liblxc public and create initial language binding (python)
- - Export new higher level functions in the library so it's possible to easily do the same thing as the tools by just calling library functions
- - Rebase the tools on these functions, possibly converting some of the shell tools to C in the process
- - Write a python binding module (_lxc) and python module (lxc) to provide a user/scripter friendly way of accessing all of LXC's features
- - Rebase arkose on the new python module instead of the current subprocess calls.
+ User Stories:
- (*1) - may fall in nicely after a code restructuring
- (*2) - probably best done as a pre-start hook
+ [nested lxc - cgroup premount and apparmor policy]
+
+ Sallie would like to run juju with lxc on her laptop, but is afraid it
+ may meddle with her laptop's networking setup. So she runs juju inside
+ an lxc container.
+
+ [lxc-attach]
+
+ Joe finds one of his containers is not responding to the ssh port, and
+ its consoles are not working. He suspects a problem with its devpts. He
+ uses lxc-attach to run a diagnostics tool inside the container.
+
+ [user namespace - unprivileged startup]
+
+ Annie wants to test a root fs tarball sitting on her usb stick. She'd
+ like to start at least a chroot or a whole container in it. But she
+ doesn't have privileges on this machine. She creates a container with
+ private user namespace and boots the rootfs there.
+
+ [seccomp]
+
+ Zoe wants to run a flash movie inside a container, but is afraid there
+ may be a kernel system call exploit. She uses seccomp to filter out
+ the most dangerous system calls.
+
+ [hooks, /var/lib/c1/root, and #includes, openvz migration]
+
+ Munro supports a large number of containers. Most of the container
+ configuration is shared from a common #included file. When he needs
+ to make a change to all containers, he can change the common included
+ configuration file, have a loop mount new filesystems under each
+ container's root, and add lines to the pre-start hook which the common
+ configuration file defines.
+
+ [encrypted root]
+
+ Rupert wants to run an application on an instance in the cloud,
+ but would like for the next cloud user to re-use his instance's
+ disk to not be able to read the application data. He therefore
+ uses an encrypted root for the container.
+
+ [python api]
+
+ Yngwie would like to write a script to perform a particular update
+ in each container. He can use the python api to find all containers,
+ then attach to running or execute in non-running containers to
+ perform the update.
+
+ Assumptions:
+
+ seccomp gets upstream
+ user namespaces get upstream
+ setns patches get upstream
+
+ Release Notes:
+
+ unprivileged startup
+ secure nested containers
+ openvz migration
--
Lxc work for Q
https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc
More information about the Ubuntu-server-bugs
mailing list