Blueprint changed by Serge Hallyn: Whiteboard changed: User Stories: [nested lxc - cgroup premount and apparmor policy] Sallie would like to run juju with lxc on her laptop, but is afraid it may meddle with her laptop's networking setup. So she runs juju inside an lxc container. [lxc-attach] Joe finds one of his containers is not responding to the ssh port, and its consoles are not working. He suspects a problem with its devpts. He uses lxc-attach to run a diagnostics tool inside the container. [user namespace - unprivileged startup] Annie wants to test a root fs tarball sitting on her usb stick. She'd like to start at least a chroot or a whole container in it. But she doesn't have privileges on this machine. She creates a container with private user namespace and boots the rootfs there. [seccomp] Zoe wants to run a flash movie inside a container, but is afraid there may be a kernel system call exploit. She uses seccomp to filter out the most dangerous system calls. [hooks, /var/lib/c1/root, and #includes, openvz migration] Munro supports a large number of containers. Most of the container configuration is shared from a common #included file. When he needs to make a change to all containers, he can change the common included configuration file, have a loop mount new filesystems under each container's root, and add lines to the pre-start hook which the common configuration file defines. [encrypted root] Rupert wants to run an application on an instance in the cloud, but would like for the next cloud user to re-use his instance's disk to not be able to read the application data. He therefore uses an encrypted root for the container. [python api] Yngwie would like to write a script to perform a particular update in each container. He can use the python api to find all containers, then attach to running or execute in non-running containers to perform the update. Assumptions: seccomp gets upstream user namespaces get upstream setns patches get upstream Release Notes: unprivileged startup secure nested containers openvz migration + + WI notes: + + 1. seccomp work in lxc is blocked until seccomp is packaged. + 2. pivot_root is not possible into a MS_SHARED directory, making our original goal of accessing the container mounts tree through /var/lib/lxc/container/root not possible.
-- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
