Public bug reported:
Out of the box on Ubuntu oneiric, lxc-checkconfig produces the current
output:
ubuntu@panda4:~$ lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled
--- Control groups ---
Cgroup: enabled
Cgroup namespace: required
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled
--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: missing
enabled
Note that cgroup_ns says 'Required'. cgroup_ns was replaced with
clone_children (which is a mount option for cgroup lines; if this is
done, then that line changes to clone_children is available).
Regardless of this 'Required' item being around, lxc-* still works, and
you can still create and start instances. It appears that even though
namespaces are unavailable. This suggests that LXC will run without
warning even if full cgroup isolation is unavailable.
As part of the move to 3.0, we need to make it so LXC uses the
clone_children as a replacement for cgroup_ns, and understand why LXC
works without namespace support, and the security implications of this
...
** Affects: lxc (Ubuntu)
Importance: High
Status: New
** Changed in: lxc (Ubuntu)
Importance: Undecided => High
** Changed in: lxc (Ubuntu)
Milestone: None => ubuntu-11.10-beta-1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/827798
Title:
LXC works without warning regardless if cgroup namespaces are properly
available
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/827798/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
