LXC work for R

Registered by Serge Hallyn

lxc is the chosen lightweight (linux-guest-only) virtualization platform on Ubuntu.

Blueprint information

Dave Walker
Ubuntu Server
Serge Hallyn
Series goal:
Accepted for raring
Milestone target:
milestone icon ubuntu-13.04
Started by
Serge Hallyn
Completed by
Serge Hallyn

Related branches



User Stories:

Joe wants to deploy a container, but is afraid of root in the container adversely affecting the host. By running the container in a user namespace and with seccomp, the host exposure is greatly reduced.


Syslog kernel ns rejected upstream.

User namespace kernel delta delayed upstream.

kernel setns() patches delayed or rejected upstream.

Apparmor lxc-related work delayed.

Test Plans:

An lxc testsuite, hooked into the server set of UTAH tests, will be deployed on each package release.

The lxc api will be leveraged to add more build-time tests.

(Decide for which features tests make sense and are feasible)

Release Note:

User namespaces are available as a tech preview. Fully usable Ubuntu containers can be created, sandboxed inside a user namespace. These are not yet recommended for deployment.

   lxc-attach functionality for all namespaces except user is in the user namespace patchset. However lxc-attach needs a patch to switch to the container's apparmor profile.
   Syslog ns design wiki page is at https://wiki.ubuntu.com/LxcSyslogNs
   Syslog ns will be sent to kernel team only if/when it appears headed upstream, so that is blocked pending lkml discussions.


Work Items

Work items:
[stgraber] Look into shipping logind with cgroup support by defaut: POSTPONED
[serge-hallyn] put utah testcases in upstream tests/ubuntu: POSTPONED
[zulcss] start a libvirt driver for upstream lxc: POSTPONED
[serge-hallyn] Send user namespace delta to kernel-team ASAP: DONE
[serge-hallyn] Post syslog namespace design wiki page: DONE
[serge-hallyn] Send syslog namespace prototype to lkml: DONE
[serge-hallyn] Send syslog namespace description to kernel-team ASAP: DONE
[serge-hallyn] Add set_cgroup_item() and get_cgroup_item() to C API: DONE
[daniel-lezcano] Improved monitor notification support: POSTPONED
[stgraber] Fix lxc-ls (re-write using api): DONE
[serge-hallyn] lxc-create or template option to specify userns mapping: POSTPONED
[serge-hallyn] push user namespace lxc delta upstream: DONE
[serge-hallyn] add config options for loglevel and output file: DONE
[serge-hallyn] drop lxccontainer.log default logging in api: DONE
[serge-hallyn] lxc-create - set a default log file in /var/log/lxc/$container: DONE
[serge-hallyn] lxc.autodev: push lxc patch upstream: DONE
[serge-hallyn] lxc.autodev: push lxc patch into package: DONE
[serge-hallyn] lxc.autodev: push mountall patch into package: DONE
[serge-hallyn] list broken functionality in ubuntu container in user namespace: POSTPONED
[serge-hallyn] improve ubuntu container experience in user namespace: POSTPONED
[serge-hallyn] add config option for RLIMIT_NPROC in userns container: POSTPONED
[stgraber] add (not container) to upstart jobs which just fail: DONE
[stgraber] write tool to pass devices into container: DONE
[stgraber] create a separate package for templates: DONE
[stgraber] have lxc-create record the name of template used in container config file for debugging: DONE
[stgraber] support templates outside of $templatedir (pushed to git): DONE
[stgraber] investigate what's needed to support containers outside of /var/lib/lxc (part of the scheduled API work): DONE
[serge-hallyn] test apparmor profile stacking; implement any lxc changes needed to support it: BLOCKED
[stgraber] rebase staging branch on upstream master: DONE
[serge-hallyn] test attach support in userns kernel; shout if anything missing: DONE
[daniel-lezcano] investigate/use http://lxc.sourceforge.net/download/procfs to filter /proc/{cpuinfo,meminfo,etc}: POSTPONED
[stgraber] investigate: does dnsmasq save mac->ip across host reboots? (it does): DONE
[stgraber] Port arkose to python3 (and make it pep8 clean): DONE
[stgraber] Port arkose to python3-lxc: BLOCKED
[stgraber] Port auto-dist-upgrader to python3-lxc: DONE
[stgraber] Tweak the tests to ensure auto-dist-upgrader on LXC gives the same results as on kvm: DONE
[stgraber] Check what it'd take to make lxc work fine when creating/starting/stopping containers in parallel (improved locking of templates): DONE
[stgraber] Add code to detect and install langpacks in containers (at least -base-en): DONE
[stgraber] Get LXC into main: INPROGRESS
[ebiederm] Push current userns patchset upstream: DONE
[ebiederm] Add support for tmpfs mounts in userns: POSTPONED

Dependency tree

* Blueprints in grey have been implemented.