LXC work for R

User Stories:

Joe wants to deploy a container, but is afraid of root in the container adversely affecting the host. By running the container in a user namespace and with seccomp, the host exposure is greatly reduced.

Risks:

Syslog kernel ns rejected upstream.

User namespace kernel delta delayed upstream.

kernel setns() patches delayed or rejected upstream.

Apparmor lxc-related work delayed.

Test Plans:

An lxc testsuite, hooked into the server set of UTAH tests, will be deployed on each package release.

The lxc api will be leveraged to add more build-time tests.

(Decide for which features tests make sense and are feasible)

Release Note:

User namespaces are available as a tech preview. Fully usable Ubuntu containers can be created, sandboxed inside a user namespace. These are not yet recommended for deployment.

Notes:
   lxc-attach functionality for all namespaces except user is in the user namespace patchset. However lxc-attach needs a patch to switch to the container's apparmor profile.
   Syslog ns design wiki page is at https://wiki.ubuntu.com/LxcSyslogNs
   Syslog ns will be sent to kernel team only if/when it appears headed upstream, so that is blocked pending lkml discussions.

Work items:
[stgraber] Look into shipping logind with cgroup support by defaut: POSTPONED
[serge-hallyn] put utah testcases in upstream tests/ubuntu: POSTPONED
[zulcss] start a libvirt driver for upstream lxc: POSTPONED
[serge-hallyn] Send user namespace delta to kernel-team ASAP: DONE
[serge-hallyn] Post syslog namespace design wiki page: DONE
[serge-hallyn] Send syslog namespace prototype to lkml: DONE
[serge-hallyn] Send syslog namespace description to kernel-team ASAP: DONE
[serge-hallyn] Add set_cgroup_item() and get_cgroup_item() to C API: DONE
[daniel-lezcano] Improved monitor notification support: POSTPONED
[stgraber] Fix lxc-ls (re-write using api): DONE
[serge-hallyn] lxc-create or template option to specify userns mapping: POSTPONED
[serge-hallyn] push user namespace lxc delta upstream: DONE
[serge-hallyn] add config options for loglevel and output file: DONE
[serge-hallyn] drop lxccontainer.log default logging in api: DONE
[serge-hallyn] lxc-create - set a default log file in /var/log/lxc/$container: DONE
[serge-hallyn] lxc.autodev: push lxc patch upstream: DONE
[serge-hallyn] lxc.autodev: push lxc patch into package: DONE
[serge-hallyn] lxc.autodev: push mountall patch into package: DONE
[serge-hallyn] list broken functionality in ubuntu container in user namespace: POSTPONED
[serge-hallyn] improve ubuntu container experience in user namespace: POSTPONED
[serge-hallyn] add config option for RLIMIT_NPROC in userns container: POSTPONED
[stgraber] add (not container) to upstart jobs which just fail: DONE
[stgraber] write tool to pass devices into container: DONE
[stgraber] create a separate package for templates: DONE
[stgraber] have lxc-create record the name of template used in container config file for debugging: DONE
[stgraber] support templates outside of $templatedir (pushed to git): DONE
[stgraber] investigate what's needed to support containers outside of /var/lib/lxc (part of the scheduled API work): DONE
[serge-hallyn] test apparmor profile stacking; implement any lxc changes needed to support it: BLOCKED
[stgraber] rebase staging branch on upstream master: DONE
[serge-hallyn] test attach support in userns kernel; shout if anything missing: DONE
[daniel-lezcano] investigate/use http://lxc.sourceforge.net/download/procfs to filter /proc/{cpuinfo,meminfo,etc}: POSTPONED
[stgraber] investigate: does dnsmasq save mac->ip across host reboots? (it does): DONE
[stgraber] Port arkose to python3 (and make it pep8 clean): DONE
[stgraber] Port arkose to python3-lxc: BLOCKED
[stgraber] Port auto-dist-upgrader to python3-lxc: DONE
[stgraber] Tweak the tests to ensure auto-dist-upgrader on LXC gives the same results as on kvm: DONE
[stgraber] Check what it'd take to make lxc work fine when creating/starting/stopping containers in parallel (improved locking of templates): DONE
[stgraber] Add code to detect and install langpacks in containers (at least -base-en): DONE
[stgraber] Get LXC into main: INPROGRESS
[ebiederm] Push current userns patchset upstream: DONE
[ebiederm] Add support for tmpfs mounts in userns: POSTPONED