Ubuntu
lxc package

LXC works without warning regardless if cgroup namespaces are properly available

Bug #827798 reported by Michael Casadevall
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Low
Serge Hallyn
Ubuntu ubuntu-11.10-beta-2

Bug Description

Out of the box on Ubuntu oneiric, lxc-checkconfig produces the current output:

ubuntu@panda4:~$ lxc-checkconfig
--- Namespaces ---
Namespaces: enabled
Utsname namespace: enabled
Ipc namespace: enabled
Pid namespace: enabled
User namespace: enabled
Network namespace: enabled
Multiple /dev/pts instances: enabled

--- Control groups ---
Cgroup: enabled
Cgroup namespace: required
Cgroup device: enabled
Cgroup sched: enabled
Cgroup cpu account: enabled
Cgroup memory controller: enabled
Cgroup cpuset: enabled

--- Misc ---
Veth pair device: enabled
Macvlan: enabled
Vlan: enabled
File capabilities: missing
enabled

Note that cgroup_ns says 'Required'. cgroup_ns was replaced with clone_children (which is a mount option for cgroup lines; if this is done, then that line changes to clone_children is available).

Regardless of this 'Required' item being around, lxc-* still works, and you can still create and start instances. It appears that even though namespaces are unavailable. This suggests that LXC will run without warning even if full cgroup isolation is unavailable.

As part of the move to 3.0, we need to make it so LXC uses the clone_children as a replacement for cgroup_ns, and understand why LXC works without namespace support, and the security implications of this ...

Tags: server-o-ro
Michael Casadevall (mcasadevall)
Changed in lxc (Ubuntu):
importance: Undecided → High
milestone: none → ubuntu-11.10-beta-1
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for taking the time to submit this bug.

LXC will not run without warning if full cgroup isolation is unvailable - if that were the case this woudl be high priority, but it isn't so II'm changing the priority of this to wishlist.

The clone_children flag gets set by lxc at lxc-start. If clone_children were not available (by the kernel) then it would fail to start the containers.

The bug then, which is present but is wishlist priority, is that lxc-checklist reports ns cgroup as Required when it isn't. It should report whether either ns cgroup is available or cgroup.clone_children exists, and report the feature missing only if neither of those is true.

Changed in lxc (Ubuntu):
importance: High → Wishlist
status: New → Triaged
Revision history for this message
Michael Casadevall (mcasadevall) wrote :

Thanks Serge. That behavior should be documented somewhere, since I was greatly concerned there was a security issue in LXC. At least we know that LXC now works properly in ARM, and I can now close out the LXC-ARM work items.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote : Re: [Bug 827798] Re: LXC works without warning regardless if cgroup namespaces are properly available

Quoting Michael Casadevall (<email address hidden>):
> Thanks Serge. That behavior should be documented somewhere, since I was

Yup, lxc-checkconfig needs to be updated.

> greatly concerned there was a security issue in LXC.

Note that until lxc can exploit user namespaces, there are plenty of security
issues unless you lock it down with an LSM.

thanks,
-serge

Revision history for this message
Michael Casadevall (mcasadevall) wrote :

Can you be more specific on these security issues?

We don't ship a LSM out of the box (nor is there a quick and easy way to set one up). LXC is the cloud computing solution for ARM until hardware virtualization becomes available, and I was unaware of any security concerns in using it.

Dave Walker (davewalker)
tags: added: server-o-ro
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Hi Dave,

the priority of this (admittedly set by me) is wishlist. But you're targetting it. Please do bump the priority if you feel that's the thing to do. Otherwise it's unlikely I'll get to it.

Note that this shouldn't require any deep knowledge, so anyone else can jump in and make the patch to lxc-checkconfig.

Martin Pitt (pitti)
Changed in lxc (Ubuntu):
milestone: ubuntu-11.10-beta-1 → ubuntu-11.10-beta-2
Serge Hallyn (serge-hallyn)
Changed in lxc (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Serge Hallyn (serge-hallyn)
importance: Wishlist → Low
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.7.5-0ubuntu7

---------------
lxc (0.7.5-0ubuntu7) oneiric; urgency=low

  * Fix lxc-checkconfig to correctly detect support for clone_children, so
    as not to erroneously report failure. (LP: #827798)
 -- Serge Hallyn <email address hidden> Fri, 02 Sep 2011 17:59:07 +0000

Changed in lxc (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.