Support LXD multiple sub-uid mapping
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack LXD Charm |
High
|
James Page | |||
Ubuntu Cloud Archive |
High
|
Unassigned | |||
Mitaka |
High
|
Unassigned | |||
Newton |
High
|
Unassigned | |||
Ocata |
High
|
Unassigned | |||
nova-lxd |
High
|
James Page | |||
nova-lxd (Ubuntu) |
High
|
James Page | |||
Xenial |
High
|
Unassigned | |||
Yakkety |
High
|
Unassigned | |||
Zesty |
High
|
James Page |
Bug Description
[Impact]
By default, all LXD containers will run with the same subuid/subgid range, which means that if a single container is compromised, all containers on the same host are potentially compromised as well.
[Test Case]
deploy a nova-lxd based openstack cloud
boot multiple instances
they all share the same uid/gid mapping within a host
boot multiple instances with a flavor property of lxd:isolated
all containers have different uid/gid mappings within a host
[Regression Potential]
Minimal in nova-lxd itself; we're just adding an additional extra-spec and tweaking the container profile if the underlying LXD daemon supports the isolation feature.
[Original Bug Report]
LXD 2.0.6 supports use of distinct sub-uid/gid for each running container; nova-lxd has support for this upstream in all stable and master branches so we should update nova-lxd in >= Xenial to support this feature.
James Page (james-page) wrote : | #1 |
Changed in charm-lxd: | |
status: | New → Triaged |
Changed in nova-lxd (Ubuntu): | |
importance: | Undecided → High |
Changed in charm-lxd: | |
importance: | Undecided → High |
assignee: | nobody → James Page (james-page) |
status: | Triaged → In Progress |
Fix proposed to branch: master
Review: https:/
James Page (james-page) wrote : | #3 |
Changes proposed to LXD charm to enable use of this feature (by extending the idmap ranges for the root user).
The changes as they stand in nova-lxd don't currently function - use of an unscoped key in extra specs for a flavor causes the ComputeCapabili
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/mitaka
commit 216b7a5cd50bb0e
Author: James Page <email address hidden>
Date: Wed Dec 7 15:03:24 2016 +0000
Switch to using lxd: namespace for extra-specs
Use of unscoped extra-specs confuses the ComputeCapabili
causing all LXD compute hosts to be excluded as targets for
scheduling of instances.
Switch supported extra-specs to the lxd: namespace to ensure that
they are correctly ignored by other parts of Nova, but remain
visible in the LXD compute driver:
lxd_isolated -> lxd:isolated
lxd_
lxd_
(also fixup branch configuration for stable/mitaka)
Change-Id: I5ff696769c2563
Closes-Bug: 1648056
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/newton
commit 1f04f663bc2674f
Author: James Page <email address hidden>
Date: Wed Dec 7 15:11:23 2016 +0000
Switch to using lxd: namespace for extra-specs
Use of unscoped extra-specs confuses the ComputeCapabili
causing all LXD compute hosts to be excluded as targets for
scheduling of instances.
Switch supported extra-specs to the lxd: namespace to ensure that
they are correctly ignored by other parts of Nova, but remain
visible in the LXD compute driver:
lxd_isolated -> lxd:isolated
lxd_
lxd_
(also fixup branch configuration for stable/newton)
Change-Id: I5ff696769c2563
Closes-Bug: 1648056
(cherry picked from commit 3d8968140bc53ec
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit f0773c995220f40
Author: James Page <email address hidden>
Date: Wed Dec 7 12:58:23 2016 +0000
Increase subuid/subgid range for root user
To support use of distinct subuid/subgid ranges per LXD container,
the default range for the root user must be increased to support
> 1 running container in this configuration.
Increase subuid/subgid range to support 5000 containers with distinct
ranges. Restart LXD daemon if idmap configuration changes, to ensure
that the full range of subid's are used.
Change-Id: I8b87dad736abaf
Closes-Bug: 1648056
Changed in charm-lxd: | |
status: | In Progress → Fix Committed |
Changed in nova-lxd: | |
assignee: | nobody → James Page (james-page) |
status: | New → In Progress |
importance: | Undecided → High |
Fix proposed to branch: stable/16.10
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/16.10
commit eb44a8949532699
Author: James Page <email address hidden>
Date: Wed Dec 7 12:58:23 2016 +0000
Increase subuid/subgid range for root user
To support use of distinct subuid/subgid ranges per LXD container,
the default range for the root user must be increased to support
> 1 running container in this configuration.
Increase subuid/subgid range to support 5000 containers with distinct
ranges. Restart LXD daemon if idmap configuration changes, to ensure
that the full range of subid's are used.
(also fix amulet tests for OpenStack Newton).
Change-Id: I8b87dad736abaf
Closes-Bug: 1648056
(cherry picked from commit f0773c995220f40
Changed in nova-lxd (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in nova-lxd (Ubuntu Yakkety): | |
status: | New → Triaged |
Changed in nova-lxd (Ubuntu Zesty): | |
status: | New → Triaged |
Changed in nova-lxd: | |
status: | In Progress → Fix Released |
Changed in charm-lxd: | |
status: | Fix Committed → Fix Released |
description: | updated |
James Page (james-page) wrote : | #9 |
Xenial/Mitaka packages consumable from:
https:/
until the SRU is accepted.
James Page (james-page) wrote : | #10 |
Xenial/Newton and Yakkety/Newton packages consumable from:
https:/
until the SRU is accepted.
Changed in nova-lxd (Ubuntu Yakkety): | |
importance: | Undecided → High |
Changed in nova-lxd (Ubuntu Xenial): | |
importance: | Undecided → High |
Changed in nova-lxd (Ubuntu Zesty): | |
status: | Triaged → In Progress |
Changed in nova-lxd (Ubuntu Yakkety): | |
status: | Triaged → In Progress |
Changed in nova-lxd (Ubuntu Xenial): | |
status: | Triaged → In Progress |
Changed in nova-lxd (Ubuntu Zesty): | |
assignee: | nobody → James Page (james-page) |
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package nova-lxd - 15.0.0~
---------------
nova-lxd (15.0.0~
* New upstream release (LP: #1648056).
-- James Page <email address hidden> Thu, 15 Dec 2016 11:30:53 +0000
Changed in nova-lxd (Ubuntu Zesty): | |
status: | In Progress → Fix Released |
Hello James, or anyone else affected,
Accepted nova-lxd into xenial-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
Changed in nova-lxd (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed |
James Page (james-page) wrote : | #13 |
Tested xenial proposed - using the lxd:isolated flavor property resulted in LXD containers on the same host having different subuid/subgid mappings.
tags: |
added: verification-done removed: verification-needed |
Changed in cloud-archive: | |
status: | Triaged → Fix Committed |
Robie Basak (racb) wrote : Update Released | #14 |
The verification of the Stable Release Update for nova-lxd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Launchpad Janitor (janitor) wrote : | #15 |
This bug was fixed in the package nova-lxd - 13.2.0-0ubuntu1
---------------
nova-lxd (13.2.0-0ubuntu1) xenial; urgency=medium
* New upstream release for Openstack Mitaka (LP: #1649368, #1648056):
- d/p/*: Dropped, no longer required as included upstream.
-- Chuck Short <email address hidden> Mon, 12 Dec 2016 13:35:03 -0500
Changed in nova-lxd (Ubuntu Xenial): | |
status: | Fix Committed → Fix Released |
James Page (james-page) wrote : | #16 |
This bug was fixed in the package nova-lxd - 15.0.0~
---------------
nova-lxd (15.0.0~
.
* New upstream release for the Ubuntu Cloud Archive.
.
nova-lxd (15.0.0~
.
* New upstream release (LP: #1648056).
Changed in cloud-archive: | |
status: | Fix Committed → Fix Released |
Hello James, or anyone else affected,
Accepted nova-lxd into mitaka-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.
Please help us by testing this new package. To enable the -proposed repository:
sudo add-apt-repository cloud-archive:
sudo apt-get update
Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-
Further information regarding the verification process can be found at https:/
tags: | added: verification-mitaka-needed |
Andy Whitcroft (apw) wrote : | #19 |
Hello James, or anyone else affected,
Accepted nova-lxd into yakkety-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
Changed in nova-lxd (Ubuntu Yakkety): | |
status: | In Progress → Fix Committed |
tags: | removed: verification-done |
tags: | added: verification-needed |
James Page (james-page) wrote : | #20 |
Hello James, or anyone else affected,
Accepted nova-lxd into newton-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.
Please help us by testing this new package. To enable the -proposed repository:
sudo add-apt-repository cloud-archive:
sudo apt-get update
Your feedback will aid us getting this update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-
Further information regarding the verification process can be found at https:/
tags: | added: verification-newton-needed |
James Page (james-page) wrote : | #21 |
Verified LXD isolation on yakkety:
$ ps -aef | grep init
165536 1934 1910 0 11:59 ? 00:00:00 /sbin/init
231072 3203 3185 0 11:59 ? 00:00:00 /sbin/init
container init and other processes running in distinct ranges.
tags: |
added: verification-done removed: verification-needed |
James Page (james-page) wrote : | #22 |
Just to ensure complete transparency here; the LXD in yakkety does not support container isolation; the LXD team provide backports of newer stable LXD versions to all supported Ubuntu versions - so I
a) Tested with yakkety LXD
Driver correctly identified that the backend LXD did not support isolation and rejected the scheduling request.
b) Tested on yakkety with the LXD stable PPA (LXD 2.8)
Driver detected the feature and isolated LXD containers as detailed in #21
Launchpad Janitor (janitor) wrote : | #23 |
Changed in nova-lxd (Ubuntu Yakkety): | |
status: | Fix Committed → Fix Released |
Charm will also need some updates to support configuration of an expanded uid range for suid/guid.