Blueprint changed by Serge Hallyn: Whiteboard changed: - Topics: - - apparmor: outlook for stacked profiles? - - 12.10 work may be purely prep work in apparmor package/kernel - - seccomp2 - - support for pre-start scripts (like initramfs) - - support for config #includes (*1) - - encrypted root fs support (*2) - - switch to git back-end for UDD? - - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/<container>>/mount - directory used instead of /usr/lib/lxc/) - - lxc-debconf - - multiarch fallout - move lxc-init to /sbin? - - expiration of cached images - - separate lxcinit (and lxclib) into separate packages? - - lxc postinst, choose lxcbr0 address (for nesting containers) - - kernel features: - - cgroup fake root - - devices namespace, syslog namespace - - user namespace (if ready - but likely 13.04 work) - - lxc apport info - - hook the high level testsuite up to a jenkins instance - - support for fedora 17 templates (just needs to be done) - - Make liblxc public and create initial language binding (python) - - Export new higher level functions in the library so it's possible to easily do the same thing as the tools by just calling library functions - - Rebase the tools on these functions, possibly converting some of the shell tools to C in the process - - Write a python binding module (_lxc) and python module (lxc) to provide a user/scripter friendly way of accessing all of LXC's features - - Rebase arkose on the new python module instead of the current subprocess calls. + User Stories: - (*1) - may fall in nicely after a code restructuring - (*2) - probably best done as a pre-start hook + [nested lxc - cgroup premount and apparmor policy] + + Sallie would like to run juju with lxc on her laptop, but is afraid it + may meddle with her laptop's networking setup. So she runs juju inside + an lxc container. + + [lxc-attach] + + Joe finds one of his containers is not responding to the ssh port, and + its consoles are not working. He suspects a problem with its devpts. He + uses lxc-attach to run a diagnostics tool inside the container. + + [user namespace - unprivileged startup] + + Annie wants to test a root fs tarball sitting on her usb stick. She'd + like to start at least a chroot or a whole container in it. But she + doesn't have privileges on this machine. She creates a container with + private user namespace and boots the rootfs there. + + [seccomp] + + Zoe wants to run a flash movie inside a container, but is afraid there + may be a kernel system call exploit. She uses seccomp to filter out + the most dangerous system calls. + + [hooks, /var/lib/c1/root, and #includes, openvz migration] + + Munro supports a large number of containers. Most of the container + configuration is shared from a common #included file. When he needs + to make a change to all containers, he can change the common included + configuration file, have a loop mount new filesystems under each + container's root, and add lines to the pre-start hook which the common + configuration file defines. + + [encrypted root] + + Rupert wants to run an application on an instance in the cloud, + but would like for the next cloud user to re-use his instance's + disk to not be able to read the application data. He therefore + uses an encrypted root for the container. + + [python api] + + Yngwie would like to write a script to perform a particular update + in each container. He can use the python api to find all containers, + then attach to running or execute in non-running containers to + perform the update. + + Assumptions: + + seccomp gets upstream + user namespaces get upstream + setns patches get upstream + + Release Notes: + + unprivileged startup + secure nested containers + openvz migration
-- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
