LXC for Ubuntu 14.04 LTS

Registered by Stéphane Graber


Over the last few years, containers have become a powerful alternative for
many use cases to full system emulation and hypervisors. They are an
important part of our overall cloud strategy, with the goals that all
non-hardware-dependent workloads be deployable the same way in a
container as anywhere else, and that root-safe containers finally
become possible.


This LTS cycle will wrap up some long term feature enablement that has taken
the entire cycle.

Blueprint information

Not started
Patricia Gaughen
Stéphane Graber
Serge Hallyn
Series goal:
Accepted for trusty
Milestone target:

Related branches



[User stories]

Alice wants her employees to deploy workloads in a lab of old machines
without having to give them root access or the equivalent.

Bob deploys his workload in several juju-spawned containers. The
host is protected by apparmor from the container, but Bob also wants
the container to be protected from any mysql potential exploits.

Charlie wants to control cgroups inside user namespace-confined containers.


Apparmor stacking is complete in 14.04.

Changes in the Linux kernel do not inhibit use of user namespaces for

Cgroup manager is completed in time.


New upstream linux kernel restrictions on user namespaces.

[In scope]

Lxc, linux kernel, apparmor, upstart.

[User acceptance]

Unprivileged users can create, run, stop, and destroy containers.

Confined containers can start dhclient under the dhclient profile.

Lxc containers can manage their cgroups using dbus-send, lxc,
and upstart.

[Work Item Notes]

[Release Note]

Users can use lightweight containers for almost any type of development, deployment and testing without being granted privilege and with minimal risk to the host.


Work Items

Work items for ubuntu-13.12:
[stgraber] reorganize default container config to use system-wide lxc.includes: DONE
[stgraber] Update python3 binding for new functions: DONE
[stgraber] Follow-up with CRIU upstream on how to get it working with LXC (won't happen for 1.0, maybe for 1.1, new plugin system should help): DONE

Work items for ubuntu-14.01:
[serge-hallyn] Integrate with the cgroup manager (3d): DONE
[serge-hallyn] Debug with the cgroup manager (2d): DONE
[serge-hallyn] Add test case for unprivileged containers support: DONE
[serge-hallyn] Test unprivileged containers support with lxc-ubuntu-cloud (.5d): DONE
[serge-hallyn] Debug existing kernel issues with unprivileged containers support with ubuntu-cloud(2d): DONE
[serge-hallyn] Talk to kernel team about more nice-to-haves (unprivileged overlayfs+mknod): DONE
[smoser] Fix some of the oustanding issues with lxc-ubuntu-cloud: TODO
[jamesodhunt] Try and integrate doxygen for the upstream liblxc documentation (and its bindings): DONE
[stgraber] Change the core pattern to forward crashes to the affected container's apport: DONE
[stgraber] Update lxc-start-ephemeral to use the clone function: POSTPONED
[stgraber] container auto-start implementation upstream: DONE
[stgraber] Try enabling all the controllers in logind: DONE
[stgraber] Shorten the cgroup path in logind so we don't get too much of a performance impact: POSTPONED

Work items for ubuntu-14.02:
[serge-hallyn] List any missing man pages (none): DONE
[serge-hallyn] Look into unprivileged overlayfs and devicens (1d): DONE
[serge-hallyn] Rewrite the existing server guide (3d): DONE
[serge-hallyn] Implement syscall-name-based seccomp policy support (1d): DONE
[serge-hallyn] Test apparmor stacked profiles (2d): POSTPONED
[stgraber] Extend our autopkgtest to leverage the upstream tests: DONE
[serge-hallyn] Update the upstart job to setup the LXC apparmor profile as a namespace (.5d): POSTPONED
[serge-hallyn] Write a generator for our apparmor deny rules (2d): DONE
[serge-hallyn] Investigate the syslog namespace and try to get things forward a bit (1d): POSTPONED
[serge-hallyn] Talk to the kernel team about ways to namespace loop devices (so they can be used in userns) (.5d): DONE

Work items for ubuntu-14.04:
[jjohansen] Provide a test PPA for stacked apparmor profiles: POSTPONED

Dependency tree

* Blueprints in grey have been implemented.