CloudServerNContainersFinetune
Differences between revisions 3 and 4
|
Size: 3446
Comment:
|
Size: 4227
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| ##(see the SpecSpec for an explanation) * '''Launchpad Entry''': UbuntuSpec:cloud-server-n-containers-finetune * '''Created''': * '''Contributors''': * '''Packages affected''': == Summary == == Release Note == ##This section should include a paragraph describing the end-user impact of this change. It is meant to be included in the release notes of the first release in which it is implemented. (Not all of these will actually be included in the release notes, at the release manager's discretion; but writing them is a useful exercise.) ##It is mandatory. == Rationale == == User stories == == Assumptions == == Design == == Implementation == ##This section should describe a plan of action (the "how") to implement the changes discussed. Could include subsections like: == Test/Demo Plan == ##It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during testing, and to show off after release. Please add an entry to http://testcases.qa.ubuntu.com/Coverage/NewFeatures for tracking test coverage. ##This need not be added or completed until the specification is nearing beta. == Unresolved issues == ##This should highlight any issues that should be addressed in further specifications, and not problems with the specification itself; since any specification with problems cannot be approved. == BoF agenda and discussion == ##Use this section to take notes during the BoF; if you keep it in the approved spec, use it for summarising what was discussed and note any options that were rejected. === UDS Natty discussion === {{{ |
|
| Line 42: | Line 86: |
| }}} | |
| Line 43: | Line 88: |
| == Containerize ptrace/kill == The security team has an interest in smarter ptrace controls, however these do not mesh with this work. They want to mostly prevent ptrace, but allow ptrace_traceme (ab)use by/for debuggers, tracers, and fault handlers. Containers will prevent tasks inside the container from allowing ptrace by a task outside the container. User namespaces would likely be too coarse-grained, globbing together an entire KDE or wine session, allowing all tasks in one such session to ptrace each other. However, the containerization of kill and ptrace are deemed 'a good thing.' Kees recommends pushing the patchset. ACTION: (serge) Work with platform team to make a stock ubuntu image work in containers * Daniel suggests lxc can pass a 'boot' argument to init/upstart * Modify /etc/init/*.conf to * not run udev * emit the needed events to keep boot proceeding in a container * See the hacks in /usr/lib/lxc/templates/lxc-ubuntu |
Launchpad Entry: cloud-server-n-containers-finetune
Created:
Contributors:
Packages affected:
Summary
Release Note
Rationale
User stories
Assumptions
Design
Implementation
Test/Demo Plan
Unresolved issues
BoF agenda and discussion
UDS Natty discussion
== Make LXC ready for production ==
Conclusions:
* Some kernel patches (setns, ipvs, ns-cgroup-removal) are heading upstream
* kernel team may backport those into natty
* ns cgroup is being deprecated - should be turned off
* MUST be associated with taking the clone-children control file patch to replace ns cgroup functionality
* For more forward-looking and experimental lxc patches,
* Create a kernel based on natty hosted on kernel.ubuntu.com
* Create a ppa with both custom kernel and lxc package to exploit it
* Examples of functionality:
* user namespace
* containerized syslog
* tinyproc (see below)
* Investigate solutions for /proc and /sys containerization
* One attractive solution was to separate proc from container-safe tinyproc
* could be a mount option
* a CAP_HOST_PROC capability is required for mounting full proc
* tinyproc does not provide /proc/sysrq-trigger, for instance
* Networking:
* We should let libvirt handle creation of bridge
* Someone should investigate getting netcf working in debian+ubuntu
* To play nice with networkmanager
* Container auto-start on boot
* Let libvirt handle it
* Meeting schedule for Friday to investigate a libvirt binding for liblxc
* Summary from that meeting:
* Action for natty to make a debootstrapped image work on host and in container
* Action for Soren to look at libvirt-lxc console bug
* (Serge to file a bug)
* Action to create a new libvirt-container driver, based on openvz driver, which execs lxc.sf.net programs.
* Ping libvirt community for reaction
* Updating the existing driver to match lxc.sf.net functionality is too much duplicated work.
* Long term, we would like to have the container driver call out to lxc.sf.net library - much more work
* Upstart script for lxc
* We should see if we can let libvirt handle it all
* Action: find someone willing to work on a script on top of lxc for easing container creation
* Action: find someone to push top/ps/netstat/etc containerization patches upstream
* Action: pursue solutions to container reboot and poweroff
* Action: Create trees based on Natty kernel tree, hosted on kernel.ubuntu.com, for more experimental container features to push upstream.
* Action: Serge to follow up on user-namespace-over-dbus patch (sent to lkml in May)CloudServerNContainersFinetune (last edited 2010-11-08 23:56:41 by cpe-66-68-83-102)