Lxc work for Q

Registered by Serge Hallyn on 2012-04-17

lxc is the chosen lightweight (linux-guest-only) virtualization platform
on Ubuntu. In this cycle we wish to make containers more secure and
more flexible, increase testing and test coverage, improve administration,
and increase code reuse by making the core library reusable.

Blueprint information

Status:
Complete
Approver:
Dave Walker
Priority:
Medium
Drafter:
Ubuntu Server Team
Direction:
Approved
Assignee:
Serge Hallyn
Definition:
Approved
Series goal:
Accepted for quantal
Implementation:
Implemented
Milestone target:
milestone icon ubuntu-12.10-beta-2
Started by
Kate Stewart on 2012-07-10
Completed by
Serge Hallyn on 2013-05-16

Related branches

Sprints

Whiteboard

User Stories:

[nested lxc - cgroup premount and apparmor policy]

Sallie would like to run juju with lxc on her laptop, but is afraid it
may meddle with her laptop's networking setup. So she runs juju inside
an lxc container.

[lxc-attach]

Joe finds one of his containers is not responding to the ssh port, and
its consoles are not working. He suspects a problem with its devpts. He
uses lxc-attach to run a diagnostics tool inside the container.

[user namespace - unprivileged startup]

Annie wants to test a root fs tarball sitting on her usb stick. She'd
like to start at least a chroot or a whole container in it. But she
doesn't have privileges on this machine. She creates a container with
private user namespace and boots the rootfs there.

[seccomp]

Zoe wants to run a flash movie inside a container, but is afraid there
may be a kernel system call exploit. She uses seccomp to filter out
the most dangerous system calls.

[hooks, /var/lib/c1/root, and #includes, openvz migration]

Munro supports a large number of containers. Most of the container
configuration is shared from a common #included file. When he needs
to make a change to all containers, he can change the common included
configuration file, have a loop mount new filesystems under each
container's root, and add lines to the pre-start hook which the common
configuration file defines.

[encrypted root]

Rupert wants to run an application on an instance in the cloud,
but would like for the next cloud user to re-use his instance's
disk to not be able to read the application data. He therefore
uses an encrypted root for the container.

[python api]

Yngwie would like to write a script to perform a particular update
in each container. He can use the python api to find all containers,
then attach to running or execute in non-running containers to
perform the update.

Assumptions:

seccomp gets upstream
user namespaces get upstream
setns patches get upstream

Release Notes:

* unprivileged startup (POSTPONED)
* secure nested containers (POSTPONED)
* Migration of containers fromopenvz to lxc has been eased with the addition of hooks at various point in a container's lifetime.
* Customization of container security profiles has been eased by a reorganization of the apparmor profiles.
* Nesting of containers has been made easier with custom apparmor profiles.
* Improved container security with support for seccomp2 profiles and
simple ecryptfs-backed containers.
* Improved container automation with a new python lxc API.

WI notes:

1. seccomp work in lxc is blocked until seccomp is packaged.
2. pivot_root is not possible into a MS_SHARED directory, making our original goal of accessing the container mounts tree through /var/lib/lxc/container/root not possible.
3. user namespace patch for lxc is up at lp:~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns. However, it cannot work without some more kernel work, and we cannot be sure it is finalized until that work is done. So marking it blocked. for now, though it should be mostly completed.
4. apport: Catching the crashes in the container and having the in-container apport triggered would require /proc/sys/kernel/core_pattern to be namespaced, it's currently blocked by apparmor and unlikely to be namespaced. Apport on the host is instead triggered, except that it fails as it's unable to locate the PID it's receiving (likely because it's receiving the pid from the container's pidns).
5. removed userns items as that is tracked in its own blueprint.

(?)

Work Items

Work items:
[stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE
[cooloney] check that all new cgroups are enabled in quantal kernel: DONE
[serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE
[serge-hallyn] send attach patch sets to kernel-team ASAP: DONE
[serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE
[serge-hallyn] add smack support to lsm set: POSTPONED
[serge-hallyn] add selinux support to lsm set: POSTPONED
[kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE
[serge-hallyn] exploit libseccomp in lxc-start: DONE
[serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE
[apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE
[ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE
[serge-hallyn] write a patch for lxc to use user namespaces: POSTPONED
[ebiederm] patch adduser: POSTPONED
[ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE
[ebiederm] get setns(mnt) upstream: DONE
[ebiederm] get setns(pid) upstream: POSTPONED
[serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE
[stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE
[serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE
[stgraber] write the hookpoints and send to the lxc-devel list for review: DONE
[serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE
[serge-hallyn] implement configuration file #includes (stretch goal): DONE
[serge-hallyn] example for encrypted root in the package README and blog: DONE
[serge-hallyn] investigate post commit hook to email out changes: DONE
[serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED
[serge-hallyn] apport hook for lxc bugs: DONE
[stgraber] where do crashes in the container go (they're caught by the kernel core_pattern and sent to the host which fails to parse them as apport isn't lxc aware): DONE
[james-page] hook testing up to jenkins: POSTPONED
[serge-hallyn] convert the test suite to utah: DONE
[serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED
[stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE
[stgraber] Create python module using the API: DONE
[serge-hallyn] server guide 12.10 update for API: DONE
[serge-hallyn] server guide 12.10 update for hooks: DONE
[serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED
[serge-hallyn] server guide 12.10 update apparmor changes: DONE
[serge-hallyn] server guide 12.10 update for using seccomp: DONE

Dependency tree

* Blueprints in grey have been implemented.