[Bug 1538174] Re: ways to speed up overhead of "lxc exec" on remote containers
Indeed it does! I just ran a complete test with this on the server: socat TCP-LISTEN:8443,fork UNIX-CLIENT:/var/lib/lxd/unix.socket & and this on the client: socat UNIX-LISTEN:/var/lib/lxd/unix.socket,unlink-early,mode=666,fork TCP:10.43.42.59:8443 & After two or three runs lxd locks up and needs to be restarted, but that happens with the "real" port and locally too, so that's a separate issue (bug 1531768). So I think this is working. Should we close this bug (which so far was really a support request, thanks!), or keep it open for making this easier/more obvious in lxd? Like an "lxc config set core.remote unsafe" option? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1538174 Title: ways to speed up overhead of "lxc exec" on remote containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1538174/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1538174] Re: ways to speed up overhead of "lxc exec" on remote containers
Unless we get more justified request (performance in safe environment like yours), I'd rather we don't make it easy for people to configure a completely unsafe LXD. I'm a bit worried of people jumping on such an option as an alternative from writing code that talks to our unix socket (for local use case) because most languages make you jump through a few hoops to get http over unix socket working. The last thing I want to see is publicly exposed LXDs with an unauthenticated API! Based on recent support requests on IRC, I've seen about 50% of our users running with LXD exposed to the network on a machine with public IPs. I don't know if they had a firewall in front of it or not, but if not, then I sure am glad that we've been pretty paranoid with our TLS requirements :) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1538174 Title: ways to speed up overhead of "lxc exec" on remote containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1538174/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1538174] Re: ways to speed up overhead of "lxc exec" on remote containers
For those not aware, having access to the LXD API is basically equivalent (straightforward path) to root on the physical host, so it's something which must be very closely guarded. I have no doubt that Martin knows what he's doing and I'm happy that socat makes it reasonably simple to do what he wants, I'm just very worried about less knowledgeable users who will follow an easy recipe only somewhere and end up effectively exposing a root shell to the world. ** Changed in: lxd (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1538174 Title: ways to speed up overhead of "lxc exec" on remote containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1538174/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1538174] Re: ways to speed up overhead of "lxc exec" on remote containers
Sounds perfectly reasonable, so indeed, let's close this. Thanks Tycho for the nice idea! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1538174 Title: ways to speed up overhead of "lxc exec" on remote containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1538174/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1538174] Re: ways to speed up overhead of "lxc exec" on remote containers
> having access to the LXD API is basically equivalent (straightforward path) to root on the physical host, so it's something which must be very closely guarded. FTR, we have an incredibly (painfully) tight firewall there, and the Scalingstack instances are basically throwaway ones -- they run tons of crappy code and thus aren't very reliable (i. e. need to be rebuilt from time to time) anyway. So I think from that point it should be fine. (ATM my main problem isn't performance yet anyway, but keeping LXD alive for more than two or three runs) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1538174 Title: ways to speed up overhead of "lxc exec" on remote containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1538174/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1538174] Re: ways to speed up overhead of "lxc exec" on remote containers
Tycho, nice idea! FTR, it's sudo socat UNIX-LISTEN:/var/lib/lxd/unix.socket TCP:10.43.42.59:8443 (CONNECT expects an existing socket, and that machine doesn't even have lxd installed, just -client). This does work for one operation, then socat exits. So this needs some tweaking, but looks like a promising route. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1538174 Title: ways to speed up overhead of "lxc exec" on remote containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1538174/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1538174] Re: ways to speed up overhead of "lxc exec" on remote containers
On Tue, Jan 26, 2016 at 04:40:15PM -, Martin Pitt wrote: > Tycho, nice idea! > > FTR, it's > > sudo socat UNIX-LISTEN:/var/lib/lxd/unix.socket TCP:10.43.42.59:8443 > > (CONNECT expects an existing socket, and that machine doesn't even have > lxd installed, just -client). This does work for one operation, then > socat exits. So this needs some tweaking, but looks like a promising > route. Oh, right, derp. r.e. your second problem, I think socat has a "fork" option, so it will keep listening, something like `socat UNIX-LISTEN:/var/lib/lxd/unix.socket,fork ...` might work. Tycho -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1538174 Title: ways to speed up overhead of "lxc exec" on remote containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1538174/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
