Ubuntu
lxc package

ubuntu template should enable security pocket

Bug #963696 reported by Clint Byrum
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
High
Unassigned
Lucid
Won't Fix
High
Unassigned
Maverick
Won't Fix
Undecided
Unassigned
Natty
Invalid
High
Unassigned
Oneiric
Invalid
High
Unassigned

Bug Description

I noticed today that my lxc containers for oneiric did not have the latest MySQL security updates.

The template should enable security for new containers so they are not left vulnerable.

ProblemType: Bug
DistroRelease: Ubuntu 12.04
Package: lxc 0.7.5-3ubuntu44
ProcVersionSignature: Ubuntu 3.2.0-20.32-generic 3.2.12
Uname: Linux 3.2.0-20-generic x86_64
NonfreeKernelModules: nvidia wl
ApportVersion: 1.95-0ubuntu1
Architecture: amd64
Date: Fri Mar 23 23:26:39 2012
InstallationMedia: Xubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101008.1)
ProcEnviron:
 TERM=xterm
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: lxc
UpgradeStatus: Upgraded to precise on 2011-07-14 (253 days ago)

Revision history for this message
Clint Byrum (clint-fewbar) wrote :
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Thanks for reporting this bug.

Precise has been enabling the security pocket for quite some time, but you are reporting this bug against precise. Can you confirm that you've had this happen on a precise host? Can you give the exact command you used to create the container?

Changed in lxc (Ubuntu):
status: New → Fix Released
status: Fix Released → Incomplete
Revision history for this message
Clint Byrum (clint-fewbar) wrote : Re: [Bug 963696] Re: ubuntu template should enable security pocket

Excerpts from Serge Hallyn's message of Sat Mar 24 08:17:07 UTC 2012:
> Thanks for reporting this bug.
>
> Precise has been enabling the security pocket for quite some time, but
> you are reporting this bug against precise. Can you confirm that you've
> had this happen on a precise host? Can you give the exact command you
> used to create the container?
>

These were containers created by juju, which uses

lxc-create -n clint-local-mysql-0 -t ubuntu -f /tmp/something -- -r oneiric

I think the issue is that my oneiric cache was created a long time ago:

$ ls -ld /var/cache/lxc/oneiric
drwxr-xr-x 3 root root 4096 Oct 12 10:45 /var/cache/lxc/oneiric

This check seems a bit inadequate:

    if [ ! -e "$cache/rootfs-$arch" ]; then
        download_ubuntu ...

Not sure what could be done to check that it is current though. :-P

What about adding a medium priority debconf question that would offer
to clear the lxc cache on upgrade from any versions that didn't enable
security?

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Hi Clint,

we've talked about that before, but the decision was (IIRC) that we should simply provide -F as an obvious way to flush the container, which is documented in the server guide. Then we were going to consider more drastic changes to the templates after LTS (though the most pressing reasons for that may be addressed by ubuntu-cloud template)

We could set a value in /etc/default/lxc for a maximum age to keep a container - I'm not at all averse to that.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Note I'm not sure what to do with this bug now :) If we decide we want -security enabled for oneiric, we could keep this bug Fix Released and SRU the fix in the template. Or we can re-title this bug to make it about the max age for a cache.

(Note: in comment #4, "for a maximum age to keep a container" should read "... to keep a container cache).

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Bug is Fix Released in precise

lxc (0.7.5-3ubuntu4) precise; urgency=low

  * add a default bridge for lxc to use. (LP: #801002)
  * Add debian/lxc.conf, which gets installed as /etc/lxc/lxc.conf as a
    sample, usable, default config. (LP: #823862)
  * Add precise to the list of distros
  * Add -updates and -security to /etc/apt/sources.list after debootstrap
    for container creation (LP: #820715)

 -- Serge Hallyn <email address hidden> Thu, 10 Nov 2011 16:00:44 -0600

This should be SRU'd to at the very least lucid, yes.

Changed in lxc (Ubuntu):
status: Incomplete → Fix Released
importance: Undecided → High
Changed in lxc (Ubuntu Lucid):
importance: Undecided → High
Changed in lxc (Ubuntu Oneiric):
importance: Undecided → High
Changed in lxc (Ubuntu Lucid):
status: New → Triaged
Changed in lxc (Ubuntu Oneiric):
status: New → Triaged
Changed in lxc (Ubuntu Maverick):
status: New → Won't Fix
Changed in lxc (Ubuntu Natty):
status: New → Triaged
importance: Undecided → High
Revision history for this message
dino99 (9d9) wrote :

eol reached https://wiki.ubuntu.com/Releases

Changed in lxc (Ubuntu Oneiric):
status: Triaged → Invalid
Changed in lxc (Ubuntu Natty):
status: Triaged → Invalid
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in lxc (Ubuntu Lucid):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.