- "further confinement would be nice to have" This service is used to implement both the "lxc file" set of commands and the "lxc exec" set of commands. As such it needs to be able to read and write every file on the system and must be allowed to spawn unconfined commands. I don't see how either of those can be implemented if we were to confine this. sshd is similarly not confined and that's pretty much the realm in which this agent is in.
- "tests to detect changes" We do have daily tests of all our VM images which do exercise the agent. Those are run on the upstream Jenkins and will typically flag any systemd changes months before they hit Ubuntu (because of other distros being more aggressive on updating systemd). https://jenkins.linuxcontainers.org/job/lxd-test-images/restrict=master,type=vm/ (currently failing due to issues on older distros which we're expecting to fix today/tomorrow) - "Empty CVE history for a package a few days old doesn't actually count" The agent binary itself has been in LXD since September and has been widely used, so while someone wouldn't have filed a CVE against "lxd-agent-loader" (and we never expect to have one on that), they would have filed one against lxd itself as the project shipping the lxd-agent binary. - "does not have a test suite that runs at build time" - "does not have a test suite that runs as autopkgtest" Testing the agent is pretty tricky because you need to run the tests on a physical host (nested VMs don't work due to vsock address conflicts), so this effectively excludes the build and test environments used in Ubuntu. As mentioned above though, we do have daily testing of the agent on all distros that we have images for. Those run on dedicated physical hardware in the upstream CI environment. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1868572 Title: [MIR] lxd-agent-loader To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd-agent-loader/+bug/1868572/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
