Virtualization Stack Work for Saucy

Registered by Serge Hallyn on 2013-05-13

[RATIONALE]

It is the goal of Ubuntu server to be the best platform for both cloud
guests and cloud hosts. As we are in the last cycle before an LTS,
we wish to ensure that we "push the envelope" with new features which
we want to see stabilized before LTS.

[GOAL]

To ensure we can provide the necessary cgroup flexibility To push the
core support needed to enable secure and nested containers and
unprivileged creation and start of containers. To ensure that ubuntu
server supports openstack, vmaas, and juju, serves as an ideal guest for
kvm, lxc and xen.

Blueprint information

Status:
Started
Approver:
Dave Walker
Priority:
High
Drafter:
Ubuntu Server Team
Direction:
Approved
Assignee:
Serge Hallyn
Definition:
Approved
Series goal:
Accepted for saucy
Implementation:
Good progress
Milestone target:
milestone icon ubuntu-13.10
Started by
Dave Walker on 2013-08-19

Related branches

Sprints

Whiteboard

[USER STORIES]

Abe would like to run untrusted workloads in a container.

Billy would like for his users to be able to use containers without
giving them root access.

Charlie would like to confine users with flexible cgroups.

Denise is writing an application using containers, and wants to re-use
the tested core lxc API.

Erica would like openstack-lxc users to have all the advanced features
of lxc (apparmor protection, nesting, etc).

[ASSUMPTIONS]

A fix is accepted upstream to allow user namespaces to be used alongside
XFS.

[USER ACCEPTANCE]

Set up a user with subuids and use it to create and run a container.

[RELEASE NOTE/BLOG]

User namespaces, apparmor, and seccomp are now leveraged to provide a
secure container environment.

Containers can now be created and used by unprivileged users.

There is built-in support for boot-time configuration of control
groups.

[NOTES]

Note that work items targetd to ubuntu-13.09 and ubuntu-13.10 are
targeted for completion upstream during saucy cycle, but not to
hit saucy. Note that ovmf work will not be complete upstream,
this item is to investigate and organize ("pursue").

(?)

Work Items

Work items:
[serge-hallyn] (Dwight is pushing this, but has no lp id) Push fix for XFS and user namespaces: DONE
[serge-hallyn] Fix lxc-net to be nestable with no user interaction: DONE
[serge-hallyn] Write sysctl to disable unprivileged CLONE_NEWUSER: DONE
[serge-hallyn] Exploit stacked apparmor profiles for container nesting: BLOCKED
[serge-hallyn] Ask jjohansen about any apparmor kernel/userspace packages we can put in ubuntu-lxc ppa for testing stacked (0.5): DONE
[serge-hallyn] Bisect kernel signal delivery bug affecting lxc: DONE
[serge-hallyn] Improve cgroup support in nested case: DONE
[serge-hallyn] write POC of nestable cgroup manager: POSTPONED
[serge-hallyn] Pursue subuid patchset for shadow: DONE
[serge-hallyn] Enable unprivileged container creation: DONE
[serge-hallyn] Write a privileged helper to facilitate unprivileged networked container: DONE
[serge-hallyn] Enable unprivileged container starting (network): POSTPONED
[serge-hallyn] Enable unprivileged container starting (cgroups): DONE
[serge-hallyn] Enable unprivileged container starting (complete): POSTPONED
[serge-hallyn] Add console support to API (Dwight): DONE
[serge-hallyn] Add attach support to API (Christian): DONE
[serge-hallyn] Convert create to API: DONE
[serge-hallyn] Convert stop to API: DONE
[serge-hallyn] Convert destroy to API: DONE
[serge-hallyn] List lxc programs to be converted to API (https://wiki.ubuntu.com/LxcAPIConversion): DONE
[serge-hallyn] Update locking in API to handle killed programs: DONE
[serge-hallyn] Update container creation to handle SIGKILL (using 'partial' file): DONE
[serge-hallyn] Improve thread safety in API: DONE
[serge-hallyn] Discuss upstream stable branches with upstream (sent email to list): DONE
[serge-hallyn] Get CONFIG_USER_NS=y into kernel (as soon as saucy+1 opens): POSTPONED
[serge-hallyn] Merge qemu 1.5.0: DONE
[serge-hallyn] Write loopback backingstore driver: DONE
[serge-hallyn] Write qemu-nbd backingstore driver: POSTPONED
[serge-hallyn] Investigate openvswitch bridges by default in libvirt (1): DONE
[serge-hallyn] Merge cgroup-lite into libcgroup (depends on libcgroup sysvinit scripts): POSTPONED
[serge-hallyn] Default-off support for per-user cgroup configuration at boot/login: POSTPONED
[smoser] Ensure that lxc-ubuntu-cloud can be used with cloudinit for openstack: DONE
[serge-hallyn] start live block migration testing using juju of libvirt+kvm with local storage (1): DONE
[smoser] use simplestreams to provide secure ubuntu-cloud deliver to lxc: POSTPONED
[zulcss] Merge libvirt 1.0.6: DONE
[serge-hallyn] no-change libvirt push to pick up new xen libraries (0): BLOCKED
[smb] Pick up upstream Xen-4.3 release: DONE
[smb] Refresh Debian/Ubuntu patches against Xen: DONE
[smb] Decide how to include qemu-upstream: DONE
[smb] Update packaging to allow libvirt to build the libxl driver: DONE
[smb] Unit testing with xm and xl stack (native and libvirt): DONE
[smb] Enable Xen compile for armhf: DONE
[smb] Merge xen 4.3: DONE
[zulcss] Write a nova using the lxc API: INPROGRESS

Work items for ubuntu-13.09:
[serge-hallyn] Work distro lxc tests upstream (2 @ sep 25): DONE
[serge-hallyn] Address monitor versioning in lxc (1): DONE
[zulcss] Push nova-lxc driver upstream: TODO
[serge-hallyn] Add snapshot support to API (3): DONE
[serge-hallyn] Discuss API versioning of library and (python, lua, etc) hooks at plumbers (3 @ sep 17): DONE
[serge-hallyn] complete live block migration testing (using juju?) of libvirt+kvm with local storage (1 @ sep 23): DONE
[zulcss] Follow up with Citrix's plans for xcp: TODO
[smb] PUsh xen 4.3 to archive: DONE

Work items for ubuntu-13.10:
[serge-hallyn] Pursue patch for ovmf to provide save/restore of nvvars to support boot variables (3 @ oct 7): POSTPONED
[serge-hallyn] live block migration testing using juju of libvirt+kvm with ceph (2 @ oct 2): POSTPONED
[zulcss] Fix apparmor bug preventing libvirt-lxc from mounting blockdevs: TODO

Dependency tree

* Blueprints in grey have been implemented.