[MIR] lxd-agent-loader
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxd-agent-loader (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Availability: Currently in universe
Rationale:
LXD now supports virtual machines. In order for all features to work properly, an agent must
be running in the image. As Ubuntu is a first class citizen in LXD, we'd like Ubuntu to ship
with the integration bits needed to automatically integrate with LXD when running on such host.
This package is made of two systemd units, both of which are keyed to only be considered if
running on a LXD system (so they're always safe to have around and will not delay boot).
The agent itself is loaded from the LXD host, guaranteeing that the same version is running
in host and guest (required due to tightly coupled features/APIs). So this package will
remain tiny and will most likely pretty much never need any updates.
Quality assurance:
- No testsuite (doesn't contain anything but two systemd units)
- No watch file (this is a native package) but debian/copyright includes details on where to find the source bits.
UI standards: Not a GUI package
Dependencies: none
Standards compliance: Complaint with current debian standards, lintian clean (including pedantic)
Maintenance: ~ubuntu-lxc owns this package (subscribed)
Background information: This is done ahead of seeding this package in the Ubuntu Cloud images
Security checks: No binaries included, systemd units only, setup to only trigger inside LXD VMs
I reviewed lxd-agent-loader 0.3 as checked into focal. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
lxd-agent-loader is just 2 systemd units. As such, this package does not really
have much of an attack surface to speak of. There's no code, just 2
configuration files. I see no reason why, from a security perspective, it should
be difficult to maintain 2 systemd units over the life of an LTS.
Security ACK for promoting lxd-agent-loader to main.