[Blueprint servercloud-q-lxc] Lxc work for Q

Stéphane Graber stgraber at stgraber.org
Wed Sep 19 21:33:50 UTC 2012 

Blueprint changed by Stéphane Graber:

Whiteboard changed:
  User Stories:
  
  [nested lxc - cgroup premount and apparmor policy]
  
  Sallie would like to run juju with lxc on her laptop, but is afraid it
  may meddle with her laptop's networking setup.  So she runs juju inside
  an lxc container.
  
  [lxc-attach]
  
  Joe finds one of his containers is not responding to the ssh port, and
  its consoles are not working.  He suspects a problem with its devpts.  He
  uses lxc-attach to run a diagnostics tool inside the container.
  
  [user namespace - unprivileged startup]
  
  Annie wants to test a root fs tarball sitting on her usb stick.  She'd
  like to start at least a chroot or a whole container in it.  But she
  doesn't have privileges on this machine.  She creates a container with
  private user namespace and boots the rootfs there.
  
  [seccomp]
  
  Zoe wants to run a flash movie inside a container, but is afraid there
  may be a kernel system call exploit.  She uses seccomp to filter out
  the most dangerous system calls.
  
  [hooks, /var/lib/c1/root, and #includes, openvz migration]
  
  Munro supports a large number of containers.  Most of the container
  configuration is shared from a common #included file.  When he needs
  to make a change to all containers, he can change the common included
  configuration file, have a loop mount new filesystems under each
  container's root, and add lines to the pre-start hook which the common
  configuration file defines.
  
  [encrypted root]
  
  Rupert wants to run an application on an instance in the cloud,
  but would like for the next cloud user to re-use his instance's
  disk to not be able to read the application data.  He therefore
  uses an encrypted root for the container.
  
  [python api]
  
  Yngwie would like to write a script to perform a particular update
  in each container.  He can use the python api to find all containers,
  then attach to running or execute in non-running containers to
  perform the update.
  
  Assumptions:
  
  seccomp gets upstream
  user namespaces get upstream
  setns patches get upstream
  
  Release Notes:
  
  unprivileged startup
  secure nested containers
  openvz migration
  
  WI notes:
  
  1. seccomp work in lxc is blocked until seccomp is packaged.
  2. pivot_root is not possible into a MS_SHARED directory, making our original goal of accessing the container mounts tree through /var/lib/lxc/container/root not possible.
  3. user namespace patch for lxc is up at lp:~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns.  However, it cannot work without some more kernel work, and we cannot be sure it is finalized until that work is done.  So marking it blocked. for now, though it should be mostly completed.
+ 4. apport: Catching the crashes in the container and having the in-container apport triggered would require /proc/sys/kernel/core_pattern to be namespaced, it's currently blocked by apparmor and unlikely to be namespaced. Apport on the host is instead triggered, except that it fails as it's unable to locate the PID it's receiving (likely because it's receiving the pid from the container's pidns).

-- 
Lxc work for Q
https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc

More information about the Ubuntu-server-bugs mailing list