Re-implement container crash forwarding
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apport (Ubuntu) |
Fix Released
|
Wishlist
|
Stéphane Graber |
Bug Description
The container crash forwarding feature must be re-implemented to use a safe design.
The current thought is:
- Introduce a systemd unit and upstart job to have a socket activated apport crash handler
- When a crash comes from a container, have apport connect to the socket in the crashed process' root, write the arguments it received to the socket.
- The crash handler in the container will then run and close the socket when it doesn't need the crashed process anymore.
- The host crash handler then exits.
This means that we only rely on an accessible root directory for the crashed process and the crash handler will be spawned by init inside that container. This makes it safe for privileged and unprivileged containers.
As an extra security measure, rate limiting should be added so that we can only have 10 in-flight crashes and that any crash taking more than 30s to be handled get cancelled (preventing host DoS).
Related branches
Changed in apport (Ubuntu): | |
status: | Triaged → In Progress |
Changed in apport (Ubuntu): | |
status: | In Progress → Fix Committed |
This sounds good to me, as this now leaves the actual processing and any permission issues to the apport instance in the container.