lpsetup

Merge lp:~bac/lpsetup/nested-lxc into lp:lpsetup

nested-lxc
Merge into trunk

Proposed by Brad Crittenden on 2012-07-25

Status:	Merged
Approved by:	Gary Poster on 2012-07-25
Approved revision:	66
Merged at revision:	63
Proposed branch:	lp:~bac/lpsetup/nested-lxc
Merge into:	lp:lpsetup
Diff against target:	142 lines (+100/-9) 3 files modified README.rst (+36/-9) lpsetup/templates/lxc-with-testing (+58/-0) lpsetup/tests/integration/test_install_lxc.py (+6/-0)
To merge this branch:	bzr merge lp:~bac/lpsetup/nested-lxc
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Gary Poster (community)		2012-07-25	Approve on 2012-07-25
Review via email: mp+116726@code.launchpad.net

Commit message

Make changes to allow nested LXCs for integration testing.

Description of the change

Make changes to allow nested LXCs for integration testing.

Revision history for this message

Gary Poster (gary) wrote on 2012-07-25:

Yay!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Brad Crittenden

Francesco Banconi

 === modified file 'README.rst'
 --- README.rst	2012-07-24 18:27:40 +0000
 +++ README.rst	2012-07-25 18:52:21 +0000
@@ -86,15 +86,14 @@
  There are two tests provided and each can run in either environment as
  long as you specify using the '-e' command line option.  The tests
--are:
--
--lpsetup/tests/integration/non-lxc.py
--lpsetup/tests/integration/juju-lxc.py
--
--The first only tests the *init-host* command but goes no further.
--The second tests *install-lxc*.  Due to bug 924281 (supposedly
--*fix-released* but still seen) this test cannot currently be run in an
--lxc container as it would require an lxc inside an lxc.
++are in lpsetup/tests/integration.
++
++The first, *test_init_host.py*, only tests the *init-host* command but
++goes no further.  The second, *test_install_lxc.py*, tests
++*install-lxc*.  If this test is run against a local LXC environment,
++some changes need are first required to the host machine where the
++test will be run.  Follow the instruction in the next section before
++launching the test.
  The tests bootstrap the environment for you and fail if it is already
  running.
@@ -106,6 +105,34 @@
          StrictHostKeyChecking no
          UserKnownHostsFile /dev/null
++Required changes for using nested LXC containers
++~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
++
++In order to get nested LXCs working in precise a few work-arounds are
++required, mostly relating to apparmor.
++
++The description of what needs to be done is at:
++http://www.stgraber.org/2012/05/04/lxc-in-ubuntu-12-04-lts/
++
++For the testing scenario, the host machine must be manually changed
++once[1] with the following modifications:
++sudo cp lpsetup/templates/lxc-with-testing /etc/apparmor.d/lxc
++sudo /etc/init.d/apparmor reload
++sudo cp /usr/lib/lxc/templates/lxc-ubuntu /usr/lib/lxc/templates/lxc-ubuntu.orig
++sudo sed -i "s/#lxc.aa_profile = unconfined/lxc.aa_profile = lxc-container-with-nesting/" \
++   /usr/lib/lxc/templates/lxc-ubuntu
++
++Should you want to disallow the apparmor change made to the default
++ubuntu template:
++sudo mv /usr/lib/lxc/templates/lxc-ubuntu.orig \
++   /usr/lib/lxc/templates/lxc-ubuntu
++
++The other changes mentioned are handled by the test in the container
++launched by Juju.
++
++[1] If the *lxc* package changes such that the *ubuntu* template is
++modified, then the last two steps to update the template will be
++required to be performed again.
  Linting
  ~~~~~~~
 === added file 'lpsetup/templates/lxc-with-testing'
 --- lpsetup/templates/lxc-with-testing	1970-01-01 00:00:00 +0000
 +++ lpsetup/templates/lxc-with-testing	2012-07-25 18:52:21 +0000
@@ -0,0 +1,58 @@
++# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
++# will source all profiles under /etc/apparmor.d/lxc
++
++# {installation_header}
++
++profile lxc-container-with-nesting flags=(attach_disconnected,mediate_deleted) {
++  network,
++  capability,
++  file,
++  umount,
++
++  # addition for container nesting
++  mount -> /sys/fs/cgroup/**,
++  mount fstype=proc -> /var/cache/lxc/**,
++  mount fstype=sysfs -> /var/cache/lxc/**,
++  mount fstype=devpts -> /dev/pts/,
++  mount -> /usr/lib/lxc/root/,
++  mount -> /usr/lib/lxc/root/**,
++  mount /dev/pts/ptmx/ -> /dev/ptmx/,
++  pivot_root,
++  change_profile -> lxc-*,
++
++  # ignore DENIED message on / remount
++  deny mount options=(ro, remount) -> /,
++
++  # allow tmpfs mounts everywhere
++  mount fstype=tmpfs,
++
++  # allow mqueue mounts everywhere
++  mount fstype=mqueue,
++
++  # allow bind mount of /lib/init/fstab for lxcguest
++  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
++
++  # deny writes in /proc/sys/fs but allow fusectl to be mounted
++  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
++  deny @{PROC}/sys/fs/** wklx,
++
++  # block some other dangerous paths
++  deny @{PROC}/sysrq-trigger rwklx,
++  deny @{PROC}/mem rwklx,
++  deny @{PROC}/kmem rwklx,
++  deny @{PROC}/sys/kernel/** wklx,
++
++  # deny writes in /sys except for /sys/fs/cgroup, also allow
++  # fusectl, securityfs and debugfs to be mounted there (read-only)
++  mount fstype=fusectl -> /sys/fs/fuse/connections/,
++  mount fstype=securityfs -> /sys/kernel/security/,
++  mount fstype=debugfs -> /sys/kernel/debug/,
++  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
++  mount fstype=proc -> /proc/,
++  mount fstype=sysfs -> /sys/,
++  deny /sys/[^f]*/** wklx,
++  deny /sys/f[^s]*/** wklx,
++  deny /sys/fs/[^c]*/** wklx,
++  deny /sys/fs/c[^g]*/** wklx,
++  deny /sys/fs/cg[^r]*/** wklx,
++}
 === modified file 'lpsetup/tests/integration/test_install_lxc.py'
 --- lpsetup/tests/integration/test_install_lxc.py	2012-07-25 13:11:25 +0000
 +++ lpsetup/tests/integration/test_install_lxc.py	2012-07-25 18:52:21 +0000
@@ -73,6 +73,12 @@
      def set_up(self):
          super(InstallLXCTest, self).set_up()
          self.on_remote('cd lpsetup; sudo python setup.py install')
++        # The installation of `lxc` is redundant as init-lxc does it but
++        # required to get the nested LXC work-around to work.
++        self.on_remote('sudo apt-get -y install lxc')
++        self.on_remote('sudo stop lxc')
++        self.on_remote('sudo sed -i "s/10.0.3/10.0.4/g" /etc/default/lxc')
++        self.on_remote('sudo start lxc')
      def do_test(self):
          """Run an end-to-end integration tests of the LXC lpsetup story."""