[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE - [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED + [serge-hallyn] write a patch for lxc to use user namespaces: POSTPONED [ebiederm] patch adduser: POSTPONED [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: POSTPONED [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): DONE [serge-hallyn] example for encrypted root in the package README and blog: DONE [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go (they're caught by the kernel core_pattern and sent to the host which fails to parse them as apport isn't lxc aware): DONE [james-page] hook testing up to jenkins: POSTPONED [serge-hallyn] convert the test suite to utah: DONE [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: DONE [serge-hallyn] server guide 12.10 update for hooks: DONE [serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED [serge-hallyn] server guide 12.10 update apparmor changes: DONE [serge-hallyn] server guide 12.10 update for using seccomp: DONE -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: User Stories: [nested lxc - cgroup premount and apparmor policy] Sallie would like to run juju with lxc on her laptop, but is afraid it may meddle with her laptop's networking setup. So she runs juju inside an lxc container. [lxc-attach] Joe finds one of his containers is not responding to the ssh port, and its consoles are not working. He suspects a problem with its devpts. He uses lxc-attach to run a diagnostics tool inside the container. [user namespace - unprivileged startup] Annie wants to test a root fs tarball sitting on her usb stick. She'd like to start at least a chroot or a whole container in it. But she doesn't have privileges on this machine. She creates a container with private user namespace and boots the rootfs there. [seccomp] Zoe wants to run a flash movie inside a container, but is afraid there may be a kernel system call exploit. She uses seccomp to filter out the most dangerous system calls. [hooks, /var/lib/c1/root, and #includes, openvz migration] Munro supports a large number of containers. Most of the container configuration is shared from a common #included file. When he needs to make a change to all containers, he can change the common included configuration file, have a loop mount new filesystems under each container's root, and add lines to the pre-start hook which the common configuration file defines. [encrypted root] Rupert wants to run an application on an instance in the cloud, but would like for the next cloud user to re-use his instance's disk to not be able to read the application data. He therefore uses an encrypted root for the container. [python api] Yngwie would like to write a script to perform a particular update in each container. He can use the python api to find all containers, then attach to running or execute in non-running containers to perform the update. Assumptions: seccomp gets upstream user namespaces get upstream setns patches get upstream Release Notes: - unprivileged startup - secure nested containers - openvz migration + unprivileged startup (POSTPONED) + secure nested containers (POSTPONED) + Migration of containers fromopenvz to lxc has been eased with the addition of hooks at various point in a container's lifetime. + Customization of container security profiles has been eased by a reorganization of the apparmor profiles. + Nesting of containers has been made easier with custom apparmor profiles. WI notes: 1. seccomp work in lxc is blocked until seccomp is packaged. 2. pivot_root is not possible into a MS_SHARED directory, making our original goal of accessing the container mounts tree through /var/lib/lxc/container/root not possible. 3. user namespace patch for lxc is up at lp:~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns. However, it cannot work without some more kernel work, and we cannot be sure it is finalized until that work is done. So marking it blocked. for now, though it should be mostly completed. 4. apport: Catching the crashes in the container and having the in-container apport triggered would require /proc/sys/kernel/core_pattern to be namespaced, it's currently blocked by apparmor and unlikely to be namespaced. Apport on the host is instead triggered, except that it fails as it's unable to locate the PID it's receiving (likely because it's receiving the pid from the container's pidns). 5. removed userns items as that is tracked in its own blueprint. -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: User Stories: [nested lxc - cgroup premount and apparmor policy] Sallie would like to run juju with lxc on her laptop, but is afraid it may meddle with her laptop's networking setup. So she runs juju inside an lxc container. [lxc-attach] Joe finds one of his containers is not responding to the ssh port, and its consoles are not working. He suspects a problem with its devpts. He uses lxc-attach to run a diagnostics tool inside the container. [user namespace - unprivileged startup] Annie wants to test a root fs tarball sitting on her usb stick. She'd like to start at least a chroot or a whole container in it. But she doesn't have privileges on this machine. She creates a container with private user namespace and boots the rootfs there. [seccomp] Zoe wants to run a flash movie inside a container, but is afraid there may be a kernel system call exploit. She uses seccomp to filter out the most dangerous system calls. [hooks, /var/lib/c1/root, and #includes, openvz migration] Munro supports a large number of containers. Most of the container configuration is shared from a common #included file. When he needs to make a change to all containers, he can change the common included configuration file, have a loop mount new filesystems under each container's root, and add lines to the pre-start hook which the common configuration file defines. [encrypted root] Rupert wants to run an application on an instance in the cloud, but would like for the next cloud user to re-use his instance's disk to not be able to read the application data. He therefore uses an encrypted root for the container. [python api] Yngwie would like to write a script to perform a particular update in each container. He can use the python api to find all containers, then attach to running or execute in non-running containers to perform the update. Assumptions: seccomp gets upstream user namespaces get upstream setns patches get upstream Release Notes: - unprivileged startup (POSTPONED) - secure nested containers (POSTPONED) - Migration of containers fromopenvz to lxc has been eased with the addition of hooks at various point in a container's lifetime. - Customization of container security profiles has been eased by a reorganization of the apparmor profiles. - Nesting of containers has been made easier with custom apparmor profiles. + * unprivileged startup (POSTPONED) + * secure nested containers (POSTPONED) + * Migration of containers fromopenvz to lxc has been eased with the addition of hooks at various point in a container's lifetime. + * Customization of container security profiles has been eased by a reorganization of the apparmor profiles. + * Nesting of containers has been made easier with custom apparmor profiles. + * Improved container security with support for seccomp2 profiles and + simple ecryptfs-backed containers. + * Improved container automation with a new python lxc API. WI notes: 1. seccomp work in lxc is blocked until seccomp is packaged. 2. pivot_root is not possible into a MS_SHARED directory, making our original goal of accessing the container mounts tree through /var/lib/lxc/container/root not possible. 3. user namespace patch for lxc is up at lp:~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns. However, it cannot work without some more kernel work, and we cannot be sure it is finalized until that work is done. So marking it blocked. for now, though it should be mostly completed. 4. apport: Catching the crashes in the container and having the in-container apport triggered would require /proc/sys/kernel/core_pattern to be namespaced, it's currently blocked by apparmor and unlikely to be namespaced. Apport on the host is instead triggered, except that it fails as it's unable to locate the PID it's receiving (likely because it's receiving the pid from the container's pidns). 5. removed userns items as that is tracked in its own blueprint. -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: POSTPONED - [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE - [ebiederm] push remaining userns patches needed for simple containers: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: POSTPONED [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): DONE [serge-hallyn] example for encrypted root in the package README and blog: DONE [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go (they're caught by the kernel core_pattern and sent to the host which fails to parse them as apport isn't lxc aware): DONE [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to utah: DONE [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: DONE [serge-hallyn] server guide 12.10 update for hooks: DONE [serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED [serge-hallyn] server guide 12.10 update apparmor changes: DONE [serge-hallyn] server guide 12.10 update for using seccomp: DONE -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: User Stories: [nested lxc - cgroup premount and apparmor policy] Sallie would like to run juju with lxc on her laptop, but is afraid it may meddle with her laptop's networking setup. So she runs juju inside an lxc container. [lxc-attach] Joe finds one of his containers is not responding to the ssh port, and its consoles are not working. He suspects a problem with its devpts. He uses lxc-attach to run a diagnostics tool inside the container. [user namespace - unprivileged startup] Annie wants to test a root fs tarball sitting on her usb stick. She'd like to start at least a chroot or a whole container in it. But she doesn't have privileges on this machine. She creates a container with private user namespace and boots the rootfs there. [seccomp] Zoe wants to run a flash movie inside a container, but is afraid there may be a kernel system call exploit. She uses seccomp to filter out the most dangerous system calls. [hooks, /var/lib/c1/root, and #includes, openvz migration] Munro supports a large number of containers. Most of the container configuration is shared from a common #included file. When he needs to make a change to all containers, he can change the common included configuration file, have a loop mount new filesystems under each container's root, and add lines to the pre-start hook which the common configuration file defines. [encrypted root] Rupert wants to run an application on an instance in the cloud, but would like for the next cloud user to re-use his instance's disk to not be able to read the application data. He therefore uses an encrypted root for the container. [python api] Yngwie would like to write a script to perform a particular update in each container. He can use the python api to find all containers, then attach to running or execute in non-running containers to perform the update. Assumptions: seccomp gets upstream user namespaces get upstream setns patches get upstream Release Notes: unprivileged startup secure nested containers openvz migration WI notes: 1. seccomp work in lxc is blocked until seccomp is packaged. 2. pivot_root is not possible into a MS_SHARED directory, making our original goal of accessing the container mounts tree through /var/lib/lxc/container/root not possible. 3. user namespace patch for lxc is up at lp:~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns. However, it cannot work without some more kernel work, and we cannot be sure it is finalized until that work is done. So marking it blocked. for now, though it should be mostly completed. 4. apport: Catching the crashes in the container and having the in-container apport triggered would require /proc/sys/kernel/core_pattern to be namespaced, it's currently blocked by apparmor and unlikely to be namespaced. Apport on the host is instead triggered, except that it fails as it's unable to locate the PID it's receiving (likely because it's receiving the pid from the container's pidns). + 5. removed userns items as that is tracked in its own blueprint. -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: POSTPONED [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: POSTPONED [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): DONE [serge-hallyn] example for encrypted root in the package README and blog: DONE [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go (they're caught by the kernel core_pattern and sent to the host which fails to parse them as apport isn't lxc aware): DONE - [james-page] hook testing up to jenkins: TODO + [james-page] hook testing up to jenkins: POSTPONED [serge-hallyn] convert the test suite to utah: DONE [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: DONE [serge-hallyn] server guide 12.10 update for hooks: DONE [serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED [serge-hallyn] server guide 12.10 update apparmor changes: DONE [serge-hallyn] server guide 12.10 update for using seccomp: DONE -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Stéphane Graber: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: POSTPONED [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE [ebiederm] push remaining userns patches needed for simple containers: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: POSTPONED [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): DONE [serge-hallyn] example for encrypted root in the package README and blog: DONE [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED [serge-hallyn] apport hook for lxc bugs: DONE - [stgraber] where do crashes in the container go: TODO + [stgraber] where do crashes in the container go (they're caught by the kernel core_pattern and sent to the host which fails to parse them as apport isn't lxc aware): DONE [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to utah: DONE [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: DONE [serge-hallyn] server guide 12.10 update for hooks: DONE [serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED [serge-hallyn] server guide 12.10 update apparmor changes: DONE [serge-hallyn] server guide 12.10 update for using seccomp: DONE -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Stéphane Graber: Whiteboard changed: User Stories: [nested lxc - cgroup premount and apparmor policy] Sallie would like to run juju with lxc on her laptop, but is afraid it may meddle with her laptop's networking setup. So she runs juju inside an lxc container. [lxc-attach] Joe finds one of his containers is not responding to the ssh port, and its consoles are not working. He suspects a problem with its devpts. He uses lxc-attach to run a diagnostics tool inside the container. [user namespace - unprivileged startup] Annie wants to test a root fs tarball sitting on her usb stick. She'd like to start at least a chroot or a whole container in it. But she doesn't have privileges on this machine. She creates a container with private user namespace and boots the rootfs there. [seccomp] Zoe wants to run a flash movie inside a container, but is afraid there may be a kernel system call exploit. She uses seccomp to filter out the most dangerous system calls. [hooks, /var/lib/c1/root, and #includes, openvz migration] Munro supports a large number of containers. Most of the container configuration is shared from a common #included file. When he needs to make a change to all containers, he can change the common included configuration file, have a loop mount new filesystems under each container's root, and add lines to the pre-start hook which the common configuration file defines. [encrypted root] Rupert wants to run an application on an instance in the cloud, but would like for the next cloud user to re-use his instance's disk to not be able to read the application data. He therefore uses an encrypted root for the container. [python api] Yngwie would like to write a script to perform a particular update in each container. He can use the python api to find all containers, then attach to running or execute in non-running containers to perform the update. Assumptions: seccomp gets upstream user namespaces get upstream setns patches get upstream Release Notes: unprivileged startup secure nested containers openvz migration WI notes: 1. seccomp work in lxc is blocked until seccomp is packaged. 2. pivot_root is not possible into a MS_SHARED directory, making our original goal of accessing the container mounts tree through /var/lib/lxc/container/root not possible. 3. user namespace patch for lxc is up at lp:~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns. However, it cannot work without some more kernel work, and we cannot be sure it is finalized until that work is done. So marking it blocked. for now, though it should be mostly completed. + 4. apport: Catching the crashes in the container and having the in-container apport triggered would require /proc/sys/kernel/core_pattern to be namespaced, it's currently blocked by apparmor and unlikely to be namespaced. Apport on the host is instead triggered, except that it fails as it's unable to locate the PID it's receiving (likely because it's receiving the pid from the container's pidns). -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: POSTPONED [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE [ebiederm] push remaining userns patches needed for simple containers: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: POSTPONED [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): DONE [serge-hallyn] example for encrypted root in the package README and blog: DONE [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO - [serge-hallyn] convert the test suite to jenkins: TODO + [serge-hallyn] convert the test suite to utah: INPROGRESS [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: DONE [serge-hallyn] server guide 12.10 update for hooks: DONE [serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED [serge-hallyn] server guide 12.10 update apparmor changes: DONE [serge-hallyn] server guide 12.10 update for using seccomp: DONE -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: POSTPONED [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE [ebiederm] push remaining userns patches needed for simple containers: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: POSTPONED [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): DONE [serge-hallyn] example for encrypted root in the package README and blog: DONE [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO - [serge-hallyn] convert the test suite to utah: INPROGRESS + [serge-hallyn] convert the test suite to utah: DONE [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: DONE [serge-hallyn] server guide 12.10 update for hooks: DONE [serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED [serge-hallyn] server guide 12.10 update apparmor changes: DONE [serge-hallyn] server guide 12.10 update for using seccomp: DONE -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: POSTPONED [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE [ebiederm] push remaining userns patches needed for simple containers: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: POSTPONED [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): DONE [serge-hallyn] example for encrypted root in the package README and blog: DONE [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: TODO - [serge-hallyn] server guide 12.10 update for hooks: TODO + [serge-hallyn] server guide 12.10 update for hooks: DONE [serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED [serge-hallyn] server guide 12.10 update apparmor changes: TODO - [serge-hallyn] server guide 12.10 update for using seccomp: TODO + [serge-hallyn] server guide 12.10 update for using seccomp: DONE -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: POSTPONED [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE [ebiederm] push remaining userns patches needed for simple containers: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: POSTPONED [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): DONE [serge-hallyn] example for encrypted root in the package README and blog: DONE [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE - [serge-hallyn] server guide 12.10 update for API: TODO + [serge-hallyn] server guide 12.10 update for API: DONE [serge-hallyn] server guide 12.10 update for hooks: DONE [serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED [serge-hallyn] server guide 12.10 update apparmor changes: TODO [serge-hallyn] server guide 12.10 update for using seccomp: DONE -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: POSTPONED [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE [ebiederm] push remaining userns patches needed for simple containers: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: POSTPONED [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): DONE [serge-hallyn] example for encrypted root in the package README and blog: DONE [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: DONE [serge-hallyn] server guide 12.10 update for hooks: DONE [serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED - [serge-hallyn] server guide 12.10 update apparmor changes: TODO + [serge-hallyn] server guide 12.10 update apparmor changes: DONE [serge-hallyn] server guide 12.10 update for using seccomp: DONE -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: POSTPONED [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: DONE [ebiederm] push remaining userns patches needed for simple containers: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: POSTPONED [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): DONE - [serge-hallyn] example for encrypted root in the package README or server guide: INPROGRESS + [serge-hallyn] example for encrypted root in the package README and blog: DONE [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: POSTPONED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): POSTPONED [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: TODO [serge-hallyn] server guide 12.10 update for hooks: TODO [serge-hallyn] server guide 12.10 update using user namespaces: POSTPONED [serge-hallyn] server guide 12.10 update apparmor changes: TODO [serge-hallyn] server guide 12.10 update for using seccomp: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: POSTPONED [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: TODO [ebiederm] push remaining userns patches needed for simple containers: TODO [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE - [serge-hallyn] implement configuration file #includes (stretch goal): TODO - [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): TODO + [serge-hallyn] implement configuration file #includes (stretch goal): DONE + [serge-hallyn] example for encrypted root in the example guide: INPROGRESS [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: TODO [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: TODO [serge-hallyn] server guide 12.10 update for hooks: TODO [serge-hallyn] server guide 12.10 update using user namespaces: TODO [serge-hallyn] server guide 12.10 update apparmor changes: TODO [serge-hallyn] server guide 12.10 update for using seccomp: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE - [serge-hallyn] add smack support to lsm set: TODO - [serge-hallyn] add selinux support to lsm set: TODO + [serge-hallyn] add smack support to lsm set: POSTPONED + [serge-hallyn] add selinux support to lsm set: POSTPONED [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE [serge-hallyn] exploit libseccomp in lxc-start: DONE - [serge-hallyn] come up with default seccomp containers profile: TODO + [serge-hallyn] come up with default seccomp containers profile (all syscalls - for x86-64, 0-300 and 1024-1079): DONE [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: TODO [ebiederm] push remaining userns patches needed for simple containers: TODO [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): TODO [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: TODO [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: TODO [serge-hallyn] server guide 12.10 update for hooks: TODO [serge-hallyn] server guide 12.10 update using user namespaces: TODO [serge-hallyn] server guide 12.10 update apparmor changes: TODO [serge-hallyn] server guide 12.10 update for using seccomp: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: TODO [serge-hallyn] add selinux support to lsm set: TODO [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE - [serge-hallyn] exploit libseccomp in lxc-start: INPROGRESS + [serge-hallyn] exploit libseccomp in lxc-start: DONE [serge-hallyn] come up with default seccomp containers profile: TODO [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: TODO [ebiederm] push remaining userns patches needed for simple containers: TODO [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): TODO [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: TODO [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: TODO [serge-hallyn] server guide 12.10 update for hooks: TODO [serge-hallyn] server guide 12.10 update using user namespaces: TODO [serge-hallyn] server guide 12.10 update apparmor changes: TODO [serge-hallyn] server guide 12.10 update for using seccomp: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: TODO [serge-hallyn] add selinux support to lsm set: TODO [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE - [serge-hallyn] exploit libseccomp in lxc-start: TODO + [serge-hallyn] exploit libseccomp in lxc-start: INPROGRESS [serge-hallyn] come up with default seccomp containers profile: TODO [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: TODO [ebiederm] push remaining userns patches needed for simple containers: TODO [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): TODO [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: TODO [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: TODO [serge-hallyn] server guide 12.10 update for hooks: TODO [serge-hallyn] server guide 12.10 update using user namespaces: TODO [serge-hallyn] server guide 12.10 update apparmor changes: TODO [serge-hallyn] server guide 12.10 update for using seccomp: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: TODO [serge-hallyn] add selinux support to lsm set: TODO - [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO - [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED - [serge-hallyn] come up with default secomp containers profile: BLOCKED + [kees] package libscecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: DONE + [serge-hallyn] exploit libseccomp in lxc-start: TODO + [serge-hallyn] come up with default seccomp containers profile: TODO [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: TODO [ebiederm] push remaining userns patches needed for simple containers: TODO [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): TODO [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: TODO [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: TODO [serge-hallyn] server guide 12.10 update for hooks: TODO [serge-hallyn] server guide 12.10 update using user namespaces: TODO [serge-hallyn] server guide 12.10 update apparmor changes: TODO [serge-hallyn] server guide 12.10 update for using seccomp: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Stéphane Graber: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: TODO [serge-hallyn] add selinux support to lsm set: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: TODO [ebiederm] push remaining userns patches needed for simple containers: TODO [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): TODO [serge-hallyn] investigate post commit hook to email out changes: DONE [serge-hallyn] document mounts sharing through /shared using hooks: TODO [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO - [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS - [stgraber] Create python module using the API: INPROGRESS + [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): DONE + [stgraber] Create python module using the API: DONE [serge-hallyn] server guide 12.10 update for API: TODO [serge-hallyn] server guide 12.10 update for hooks: TODO [serge-hallyn] server guide 12.10 update using user namespaces: TODO [serge-hallyn] server guide 12.10 update apparmor changes: TODO [serge-hallyn] server guide 12.10 update for using seccomp: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: TODO [serge-hallyn] add selinux support to lsm set: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: TODO [ebiederm] push remaining userns patches needed for simple containers: TODO [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO - [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED - [serge-hallyn] investigate post commit hook to email out changes: TODO - [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED + [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): TODO + [serge-hallyn] investigate post commit hook to email out changes: DONE + [serge-hallyn] document mounts sharing through /shared using hooks: TODO [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS [serge-hallyn] server guide 12.10 update for API: TODO [serge-hallyn] server guide 12.10 update for hooks: TODO [serge-hallyn] server guide 12.10 update using user namespaces: TODO [serge-hallyn] server guide 12.10 update apparmor changes: TODO [serge-hallyn] server guide 12.10 update for using seccomp: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Andy Whitcroft: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup: BLOCKED [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: TODO [serge-hallyn] add selinux support to lsm set: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED - [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO + [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE - [serge-hallyn] pre-mount cgroups during container startup: BLOCKED + [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: TODO [serge-hallyn] add selinux support to lsm set: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: TODO [serge-hallyn] add selinux support to lsm set: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS + [serge-hallyn] server guide 12.10 update for API: TODO + [serge-hallyn] server guide 12.10 update for hooks: TODO + [serge-hallyn] server guide 12.10 update using user namespaces: TODO + [serge-hallyn] server guide 12.10 update apparmor changes: TODO + [serge-hallyn] server guide 12.10 update for using seccomp: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup (using optional mount hook): DONE [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack support to lsm set: TODO [serge-hallyn] add selinux support to lsm set: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches (confirmed): DONE [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO - [ebiederm] get user namespaces upstream: INPROGRESS + [ebiederm] get rest of v40 of userns patchset upstream: INPROGRESS + [ebiederm] push userns patches to allow containers to mount, pivot_root, and rename nics: TODO + [ebiederm] push remaining userns patches needed for simple containers: TODO [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS [serge-hallyn] server guide 12.10 update for API: TODO [serge-hallyn] server guide 12.10 update for hooks: TODO [serge-hallyn] server guide 12.10 update using user namespaces: TODO [serge-hallyn] server guide 12.10 update apparmor changes: TODO [serge-hallyn] server guide 12.10 update for using seccomp: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup: BLOCKED [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack and/or selinux support to lsm set: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE - [serge-hallyn] write a patch for lxc to use user namespaces: TODO + [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: User Stories: [nested lxc - cgroup premount and apparmor policy] Sallie would like to run juju with lxc on her laptop, but is afraid it may meddle with her laptop's networking setup. So she runs juju inside an lxc container. [lxc-attach] Joe finds one of his containers is not responding to the ssh port, and its consoles are not working. He suspects a problem with its devpts. He uses lxc-attach to run a diagnostics tool inside the container. [user namespace - unprivileged startup] Annie wants to test a root fs tarball sitting on her usb stick. She'd like to start at least a chroot or a whole container in it. But she doesn't have privileges on this machine. She creates a container with private user namespace and boots the rootfs there. [seccomp] Zoe wants to run a flash movie inside a container, but is afraid there may be a kernel system call exploit. She uses seccomp to filter out the most dangerous system calls. [hooks, /var/lib/c1/root, and #includes, openvz migration] Munro supports a large number of containers. Most of the container configuration is shared from a common #included file. When he needs to make a change to all containers, he can change the common included configuration file, have a loop mount new filesystems under each container's root, and add lines to the pre-start hook which the common configuration file defines. [encrypted root] Rupert wants to run an application on an instance in the cloud, but would like for the next cloud user to re-use his instance's disk to not be able to read the application data. He therefore uses an encrypted root for the container. [python api] Yngwie would like to write a script to perform a particular update in each container. He can use the python api to find all containers, then attach to running or execute in non-running containers to perform the update. Assumptions: seccomp gets upstream user namespaces get upstream setns patches get upstream Release Notes: unprivileged startup secure nested containers openvz migration WI notes: 1. seccomp work in lxc is blocked until seccomp is packaged. 2. pivot_root is not possible into a MS_SHARED directory, making our original goal of accessing the container mounts tree through /var/lib/lxc/container/root not possible. + 3. user namespace patch for lxc is up at lp:~serge-hallyn/ubuntu/quantal/lxc/lxc-user-ns. However, it cannot work without some more kernel work, and we cannot be sure it is finalized until that work is done. So marking it blocked. for now, though it should be mostly completed. -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup: BLOCKED [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE - [serge-hallyn] add smack and/or selinux support to lsm set: TODO + [serge-hallyn] add smack support to lsm set: TODO + [serge-hallyn] add selinux support to lsm set: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: BLOCKED [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Bryan Wu: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE - [cooloney] check that all new cgroups are enabled in quantal kernel: TODO + [cooloney] check that all new cgroups are enabled in quantal kernel: DONE [serge-hallyn] pre-mount cgroups during container startup: BLOCKED [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] add smack and/or selinux support to lsm set: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: TODO - [serge-hallyn] pre-mount cgroups during container startup: TODO + [serge-hallyn] pre-mount cgroups during container startup: BLOCKED [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE - [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: TODO + [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: INPROGRESS [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: BLOCKED [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE - [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: INPROGRESS + [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: BLOCKED [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: DONE - [serge-hallyn] send generic lsm patchset upstream: TODO + [serge-hallyn] add smack and/or selinux support to lsm set: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: TODO [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: TODO [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE + [serge-hallyn] Post POC patchset implementing hookpoints to lxc-devel: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: TODO [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: TODO [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO - [serge-hallyn] exploit libseccomp in lxc-start: TODO - [serge-hallyn] come up with default secomp containers profile: TODO + [serge-hallyn] exploit libseccomp in lxc-start: BLOCKED + [serge-hallyn] come up with default secomp containers profile: BLOCKED [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO - [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces: TODO + [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces (done by community): DONE [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO - [serge-hallyn] example for encrypted root in the example guide: TODO + [serge-hallyn] example for encrypted root in the example guide (blocked awaiting hooks): BLOCKED [serge-hallyn] investigate post commit hook to email out changes: TODO - [serge-hallyn] get lxc to do a pivot root into a per-container tree visible to the host: TODO + [serge-hallyn] document mounts sharing through /shared using hooks: BLOCKED [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: User Stories: [nested lxc - cgroup premount and apparmor policy] Sallie would like to run juju with lxc on her laptop, but is afraid it may meddle with her laptop's networking setup. So she runs juju inside an lxc container. [lxc-attach] Joe finds one of his containers is not responding to the ssh port, and its consoles are not working. He suspects a problem with its devpts. He uses lxc-attach to run a diagnostics tool inside the container. [user namespace - unprivileged startup] Annie wants to test a root fs tarball sitting on her usb stick. She'd like to start at least a chroot or a whole container in it. But she doesn't have privileges on this machine. She creates a container with private user namespace and boots the rootfs there. [seccomp] Zoe wants to run a flash movie inside a container, but is afraid there may be a kernel system call exploit. She uses seccomp to filter out the most dangerous system calls. [hooks, /var/lib/c1/root, and #includes, openvz migration] Munro supports a large number of containers. Most of the container configuration is shared from a common #included file. When he needs to make a change to all containers, he can change the common included configuration file, have a loop mount new filesystems under each container's root, and add lines to the pre-start hook which the common configuration file defines. [encrypted root] Rupert wants to run an application on an instance in the cloud, but would like for the next cloud user to re-use his instance's disk to not be able to read the application data. He therefore uses an encrypted root for the container. [python api] Yngwie would like to write a script to perform a particular update in each container. He can use the python api to find all containers, then attach to running or execute in non-running containers to perform the update. Assumptions: seccomp gets upstream user namespaces get upstream setns patches get upstream Release Notes: unprivileged startup secure nested containers openvz migration + + WI notes: + + 1. seccomp work in lxc is blocked until seccomp is packaged. + 2. pivot_root is not possible into a MS_SHARED directory, making our original goal of accessing the container mounts tree through /var/lib/lxc/container/root not possible. -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [cooloney] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: TODO - [serge-hallyn] send attach patch sets to kernel-team ASAP: TODO + [serge-hallyn] send attach patch sets to kernel-team ASAP: DONE [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: TODO [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: TODO [serge-hallyn] come up with default secomp containers profile: TODO [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces: TODO [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide: TODO [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] get lxc to do a pivot root into a per-container tree visible to the host: TODO - [serge-hallyn] apport hook for lxc bugs: TODO + [serge-hallyn] apport hook for lxc bugs: DONE [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Dave Walker: Priority: Undefined = Medium -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Bryan Wu: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE - [stefan-bader-canonical] check that all new cgroups are enabled in quantal kernel: TODO + [cooloney] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: TODO [serge-hallyn] send attach patch sets to kernel-team ASAP: TODO [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: TODO [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: TODO [serge-hallyn] come up with default secomp containers profile: TODO [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces: TODO [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide: TODO [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] get lxc to do a pivot root into a per-container tree visible to the host: TODO [serge-hallyn] apport hook for lxc bugs: TODO [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Stéphane Graber: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [stefan-bader-canonical] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: TODO [serge-hallyn] send attach patch sets to kernel-team ASAP: TODO [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: TODO [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: TODO [serge-hallyn] come up with default secomp containers profile: TODO [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces: TODO [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE - [stgraber] write the hookpoints and send to the lxc-devel list for review: TODO + [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide: TODO [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] get lxc to do a pivot root into a per-container tree visible to the host: TODO [serge-hallyn] apport hook for lxc bugs: TODO [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS [serge-hallyn] arrange devices namespace discussion with the right people after userns patchset: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items changed: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [stefan-bader-canonical] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: TODO [serge-hallyn] send attach patch sets to kernel-team ASAP: TODO [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: TODO [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: TODO [serge-hallyn] come up with default secomp containers profile: TODO [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces: TODO [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: DONE [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide: TODO [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] get lxc to do a pivot root into a per-container tree visible to the host: TODO [serge-hallyn] apport hook for lxc bugs: TODO [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS [stgraber] Create python module using the API: INPROGRESS - [serge-hallyn] arrange devices namespace discussion with the right people after userns patchset: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Dave Walker: Definition Status: Pending Approval = Approved -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Stéphane Graber: Work items changed: Work items: - [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: TODO + [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: INPROGRESS [stefan-bader-canonical] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: TODO [serge-hallyn] send attach patch sets to kernel-team ASAP: TODO [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: TODO [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: TODO [serge-hallyn] come up with default secomp containers profile: TODO [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces: TODO - [stgraber] add the lxc-nesting apparmor profile to the package in quantal: TODO + [stgraber] add the lxc-nesting apparmor profile to the package in quantal: INPROGRESS [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: TODO [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide: TODO [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] get lxc to do a pivot root into a per-container tree visible to the host: TODO [serge-hallyn] apport hook for lxc bugs: TODO [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): TODO [stgraber] Create python module using the API: TODO [serge-hallyn] arrange devices namespace discussion with the right people after userns patchset: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Stéphane Graber: Definition Status: Discussion = Pending Approval -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Stéphane Graber: Work items changed: Work items: - [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: INPROGRESS + [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: DONE [stefan-bader-canonical] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: TODO [serge-hallyn] send attach patch sets to kernel-team ASAP: TODO [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: TODO [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: TODO [serge-hallyn] come up with default secomp containers profile: TODO [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces: TODO - [stgraber] add the lxc-nesting apparmor profile to the package in quantal: INPROGRESS + [stgraber] add the lxc-nesting apparmor profile to the package in quantal: DONE [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: TODO [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide: TODO [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] get lxc to do a pivot root into a per-container tree visible to the host: TODO [serge-hallyn] apport hook for lxc bugs: TODO [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO - [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): TODO - [stgraber] Create python module using the API: TODO + [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): INPROGRESS + [stgraber] Create python module using the API: INPROGRESS [serge-hallyn] arrange devices namespace discussion with the right people after userns patchset: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: - Topics: - - apparmor: outlook for stacked profiles? - - 12.10 work may be purely prep work in apparmor package/kernel - - seccomp2 - - support for pre-start scripts (like initramfs) - - support for config #includes (*1) - - encrypted root fs support (*2) - - switch to git back-end for UDD? - - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount - directory used instead of /usr/lib/lxc/) - - lxc-debconf - - multiarch fallout - move lxc-init to /sbin? - - expiration of cached images - - separate lxcinit (and lxclib) into separate packages? - - lxc postinst, choose lxcbr0 address (for nesting containers) - - kernel features: - - cgroup fake root - - devices namespace, syslog namespace - - user namespace (if ready - but likely 13.04 work) - - lxc apport info - - hook the high level testsuite up to a jenkins instance - - support for fedora 17 templates (just needs to be done) - - Make liblxc public and create initial language binding (python) - - Export new higher level functions in the library so it's possible to easily do the same thing as the tools by just calling library functions - - Rebase the tools on these functions, possibly converting some of the shell tools to C in the process - - Write a python binding module (_lxc) and python module (lxc) to provide a user/scripter friendly way of accessing all of LXC's features - - Rebase arkose on the new python module instead of the current subprocess calls. + User Stories: - (*1) - may fall in nicely after a code restructuring - (*2) - probably best done as a pre-start hook + [nested lxc - cgroup premount and apparmor policy] + + Sallie would like to run juju with lxc on her laptop, but is afraid it + may meddle with her laptop's networking setup. So she runs juju inside + an lxc container. + + [lxc-attach] + + Joe finds one of his containers is not responding to the ssh port, and + its consoles are not working. He suspects a problem with its devpts. He + uses lxc-attach to run a diagnostics tool inside the container. + + [user namespace - unprivileged startup] + + Annie wants to test a root fs tarball sitting on her usb stick. She'd + like to start at least a chroot or a whole container in it. But she + doesn't have privileges on this machine. She creates a container with + private user namespace and boots the rootfs there. + + [seccomp] + + Zoe wants to run a flash movie inside a container, but is afraid there + may be a kernel system call exploit. She uses seccomp to filter out + the most dangerous system calls. + + [hooks, /var/lib/c1/root, and #includes, openvz migration] + + Munro supports a large number of containers. Most of the container + configuration is shared from a common #included file. When he needs + to make a change to all containers, he can change the common included + configuration file, have a loop mount new filesystems under each + container's root, and add lines to the pre-start hook which the common + configuration file defines. + + [encrypted root] + + Rupert wants to run an application on an instance in the cloud, + but would like for the next cloud user to re-use his instance's + disk to not be able to read the application data. He therefore + uses an encrypted root for the container. + + [python api] + + Yngwie would like to write a script to perform a particular update + in each container. He can use the python api to find all containers, + then attach to running or execute in non-running containers to + perform the update. + + Assumptions: + + seccomp gets upstream + user namespaces get upstream + setns patches get upstream + + Release Notes: + + unprivileged startup + secure nested containers + openvz migration -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Work items set to: Work items: [stgraber] Review list of extra packages in lxc-ubuntu and have it contain the right list for each release: TODO [stefan-bader-canonical] check that all new cgroups are enabled in quantal kernel: TODO [serge-hallyn] pre-mount cgroups during container startup: TODO [serge-hallyn] send attach patch sets to kernel-team ASAP: TODO [serge-hallyn] convert lxc-apparmor patchset to generic lsm set: TODO [serge-hallyn] send generic lsm patchset upstream: TODO [kees] package libsecomp to aid bpf creation http://sourceforge.net/projects/libseccomp/: TODO [serge-hallyn] exploit libseccomp in lxc-start: TODO [serge-hallyn] come up with default secomp containers profile: TODO [apw] expect SECCOMP to drop in v3.5 replacing our patches: TODO [ebiederm] fix lxc-attach upstream to use the new setns syntax: DONE [serge-hallyn] write a patch for lxc to use user namespaces: TODO [ebiederm] patch adduser: TODO [ebiederm] get user namespaces upstream: INPROGRESS [ebiederm] get setns(mnt) upstream: DONE [ebiederm] get setns(pid) upstream: TODO [serge-hallyn] extend lxc-attach to support attaching only to specific namespaces: TODO [stgraber] add the lxc-nesting apparmor profile to the package in quantal: TODO [serge-hallyn] send usernamespace patchset ASAP to kernel team (link to git repo for review): DONE [stgraber] write the hookpoints and send to the lxc-devel list for review: TODO [serge-hallyn] implement configuration file #includes (stretch goal): TODO [serge-hallyn] example for encrypted root in the example guide: TODO [serge-hallyn] investigate post commit hook to email out changes: TODO [serge-hallyn] get lxc to do a pivot root into a per-container tree visible to the host: TODO [serge-hallyn] apport hook for lxc bugs: TODO [stgraber] where do crashes in the container go: TODO [james-page] hook testing up to jenkins: TODO [serge-hallyn] convert the test suite to jenkins: TODO [serge-hallyn] fedora 16 and 17 and open-suse templates need to be made to work (stretch goal): TODO [stgraber] make an liblxc API definition and publicise (+ serge-hallyn): TODO [stgraber] Create python module using the API: TODO [serge-hallyn] arrange devices namespace discussion with the right people after userns patchset: TODO -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: Topics: - apparmor: outlook for stacked profiles? - 12.10 work may be purely prep work in apparmor package/kernel - seccomp2 - support for pre-start scripts (like initramfs) - support for config #includes (*1) - encrypted root fs support (*2) - switch to git back-end for UDD? - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount directory used instead of /usr/lib/lxc/) - lxc-debconf + - multiarch fallout - move lxc-init to /sbin? - kernel features: - cgroup fake root - devices namespace, syslog namespace - user namespace (if ready - but likely 13.04 work) - lxc apport info - hook the high level testsuite up to a jenkins instance - support for fedora 17 templates (just needs to be done) - Make liblxc public and create initial language binding (python) - Export new higher level functions in the library so it's possible to easily do the same thing as the tools by just calling library functions - Rebase the tools on these functions, possibly converting some of the shell tools to C in the process - Write a python binding module (_lxc) and python module (lxc) to provide a user/scripter friendly way of accessing all of LXC's features - Rebase arkose on the new python module instead of the current subprocess calls. (*1) - may fall in nicely after a code restructuring (*2) - probably best done as a pre-start hook -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: Topics: - apparmor: outlook for stacked profiles? - 12.10 work may be purely prep work in apparmor package/kernel - seccomp2 - support for pre-start scripts (like initramfs) - support for config #includes (*1) - encrypted root fs support (*2) - switch to git back-end for UDD? - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount directory used instead of /usr/lib/lxc/) - lxc-debconf - - multiarch fallout - move lxc-init to /sbin? + - multiarch fallout - move lxc-init to /sbin? + - expiration of cached images + - separate lxcinit (and lxclib) into separate packages? + - lxc postinst, choose lxcbr0 address (for nesting containers) - kernel features: - cgroup fake root - devices namespace, syslog namespace - user namespace (if ready - but likely 13.04 work) - lxc apport info - hook the high level testsuite up to a jenkins instance - support for fedora 17 templates (just needs to be done) - Make liblxc public and create initial language binding (python) - Export new higher level functions in the library so it's possible to easily do the same thing as the tools by just calling library functions - Rebase the tools on these functions, possibly converting some of the shell tools to C in the process - Write a python binding module (_lxc) and python module (lxc) to provide a user/scripter friendly way of accessing all of LXC's features - Rebase arkose on the new python module instead of the current subprocess calls. (*1) - may fall in nicely after a code restructuring (*2) - probably best done as a pre-start hook -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: Topics: - apparmor: outlook for stacked profiles? -- 12.10 work may be purely for apparmor + - 12.10 work may be purely prep work in apparmor package/kernel - seccomp2 - support for pre-start scripts (like initramfs) - support for config #includes (*1) - encrypted root fs support (*2) - switch to git back-end for UDD? - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount directory used instead of /usr/lib/lxc/) - lxc-debconf - - kernel features: - - cgroup fake root - - devices namespace, syslog namespace - - user namespace (if ready - but likely 13.04 work) + - kernel features: + - cgroup fake root + - devices namespace, syslog namespace + - user namespace (if ready - but likely 13.04 work) - lxc apport info - hook the high level testsuite up to a jenkins instance - support for fedora 17 templates (just needs to be done) - Make liblxc public and create initial language binding (python) - Export new higher level functions in the library so it's possible to easily do the same thing as the tools by just calling library functions - Rebase the tools on these functions, possibly converting some of the shell tools to C in the process - Write a python binding module (_lxc) and python module (lxc) to provide a user/scripter friendly way of accessing all of LXC's features - Rebase arkose on the new python module instead of the current subprocess calls. (*1) - may fall in nicely after a code restructuring (*2) - probably best done as a pre-start hook -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Stéphane Graber: Whiteboard changed: Topics: - apport info - - apparmor: outlook for stacked profiles? + - apparmor: outlook for stacked profiles? - using seccomp2 - user namespace (if ready) - support for pre-start scripts (like initramfs) - support for config #includes - encrypted root fs support - switch to git back-end for UDD? - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount directory used instead of /usr/lib/lxc/) - lxc-debconf - cgroup fake root - devices namespace - lxc apport info - seccomp2 - support for fedora 17 templates + - Make liblxc public and create initial language binding (python) +- Export new higher level functions in the library so it's possible to easily do the same thing as the tools by just calling library functions +- Rebase the tools on these functions, possibly converting some of the shell tools to C in the process +- Write a python binding module (_lxc) and python module (lxc) to provide a user/scripter friendly way of accessing all of LXC's features +- Rebase arkose on the new python module instead of the current subprocess calls. -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: Topics: - apport info - apparmor: outlook for stacked profiles? - using seccomp2 - user namespace (if ready) - support for pre-start scripts (like initramfs) - support for config #includes - encrypted root fs support - switch to git back-end for UDD? - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount directory used instead of /usr/lib/lxc/) - lxc-debconf - cgroup fake root - devices namespace - lxc apport info - seccomp2 + - hook the high level testsuite up to a jenkins instance - support for fedora 17 templates - - Make liblxc public and create initial language binding (python) -- Export new higher level functions in the library so it's possible to easily do the same thing as the tools by just calling library functions -- Rebase the tools on these functions, possibly converting some of the shell tools to C in the process -- Write a python binding module (_lxc) and python module (lxc) to provide a user/scripter friendly way of accessing all of LXC's features -- Rebase arkose on the new python module instead of the current subprocess calls. + - Make liblxc public and create initial language binding (python) + - Export new higher level functions in the library so it's possible to easily do the same thing as the tools by just calling library functions + - Rebase the tools on these functions, possibly converting some of the shell tools to C in the process + - Write a python binding module (_lxc) and python module (lxc) to provide a user/scripter friendly way of accessing all of LXC's features + - Rebase arkose on the new python module instead of the current subprocess calls. -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: Topics: - - apport info - apparmor: outlook for stacked profiles? - - using seccomp2 - - user namespace (if ready) +- 12.10 work may be purely for apparmor + - seccomp2 - support for pre-start scripts (like initramfs) - - support for config #includes - - encrypted root fs support + - support for config #includes (*1) + - encrypted root fs support (*2) - switch to git back-end for UDD? - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount directory used instead of /usr/lib/lxc/) - lxc-debconf - - cgroup fake root - - devices namespace + - kernel features: + - cgroup fake root + - devices namespace, syslog namespace + - user namespace (if ready - but likely 13.04 work) - lxc apport info - - seccomp2 - hook the high level testsuite up to a jenkins instance - - support for fedora 17 templates + - support for fedora 17 templates (just needs to be done) - Make liblxc public and create initial language binding (python) - Export new higher level functions in the library so it's possible to easily do the same thing as the tools by just calling library functions - Rebase the tools on these functions, possibly converting some of the shell tools to C in the process - Write a python binding module (_lxc) and python module (lxc) to provide a user/scripter friendly way of accessing all of LXC's features - Rebase arkose on the new python module instead of the current subprocess calls. + + (*1) - may fall in nicely after a code restructuring + (*2) - probably best done as a pre-start hook -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Jonathan Carter: Whiteboard changed: Topics: - - apport info - - using seccomp2 - - user namespace (if ready) - - support for pre-start scripts (like initramfs) - - support for config #includes - - encrypted root fs support - - switch to git back-end for UDD? - - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount directory used instead of /usr/lib/lxc/) - - cgroup fake root - - devices namespace - - lxc apport info - - seccomp2 - - support for fedora 17 templates + - apport info + - using seccomp2 + - user namespace (if ready) + - support for pre-start scripts (like initramfs) + - support for config #includes + - encrypted root fs support + - switch to git back-end for UDD? + - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests + - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount + directory used instead of /usr/lib/lxc/) + - lxc-debconf + - cgroup fake root + - devices namespace + - lxc apport info + - seccomp2 + - support for fedora 17 templates -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Robbie Williamson: Assignee: (none) = Serge Hallyn -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard changed: Topics: - apport info + - apparmor: outlook for stacked profiles? - using seccomp2 - user namespace (if ready) - support for pre-start scripts (like initramfs) - support for config #includes - encrypted root fs support - switch to git back-end for UDD? - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount - directory used instead of /usr/lib/lxc/) - - lxc-debconf + directory used instead of /usr/lib/lxc/) + - lxc-debconf - cgroup fake root - devices namespace - lxc apport info - seccomp2 - support for fedora 17 templates -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Stéphane Graber: Whiteboard changed: Topics: - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests - /lxc-shared support through lxc config - cgroup fake root - devices namespace - lxc apport info - seccomp2 - support for fedora 17 templates + - apport info + - using seccomp2 + - user namespace (if ready) + - support for pre-start scripts (like initramfs) + - support for config #includes + - encrypted root fs support + - switch to git back-end for UDD? + - http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests + - /lxc-shared support through lxc config (or the OpenVZ way with a /var/lib/lxc/container/mount directory used instead of /usr/lib/lxc/) + - cgroup fake root + - devices namespace + - lxc apport info + - seccomp2 + - support for fedora 17 templates -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Robbie Williamson: Definition Status: New = Discussion -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Blueprint servercloud-q-lxc] Lxc work for Q
Blueprint changed by Serge Hallyn: Whiteboard set to: Topics: http://skliarie.blogspot.com/2011/11/llslxclvmsnapshots.html - lvm manipulation inside guests /lxc-shared support through lxc config cgroup fake root devices namespace lxc apport info seccomp2 support for fedora 17 templates -- Lxc work for Q https://blueprints.launchpad.net/ubuntu/+spec/servercloud-q-lxc -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
