lxc container can control other container's cpu share,memory limit,or access of block and character devices
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-manuals |
Fix Released
|
High
|
Anne Gentle | ||
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
i install openstack with nova-compute-lxc.as we know openstack use cgroup limit the resource of lxc instance,but when i installed cgroup-bin in the lxc instance ,i can control other container's cpu share,memory limit,or access of block and character devices and etc.
i suspect that host and lxc instance share the cgroup as it's kernel based?
in the lxc instance:
#show four instaces,and we are in the instance named "instance-0000011e"
root@openstack:
total 0
drwxr-xr-x 6 root root 0 Dec 7 16:19 ./
drwxr-xr-x 4 root root 0 Dec 7 12:45 ../
-rw-r--r-- 1 root root 0 Dec 7 12:45 cgroup.
--w--w--w- 1 root root 0 Dec 7 12:45 cgroup.
-rw-r--r-- 1 root root 0 Dec 7 12:45 cgroup.procs
--w------- 1 root root 0 Dec 7 12:45 devices.allow
--w------- 1 root root 0 Dec 7 12:45 devices.deny
-r--r--r-- 1 root root 0 Dec 7 12:45 devices.list
drwxr-xr-x 3 root root 0 Dec 7 16:19 instance-0000011e/
drwxr-xr-x 2 root root 0 Dec 7 16:22 instance-0000011f/
drwxr-xr-x 3 root root 0 Dec 7 17:28 instance-00000120/
drwxr-xr-x 2 root root 0 Dec 10 08:35 instance-00000121/
-rw-r--r-- 1 root root 0 Dec 7 12:45 notify_on_release
-rw-r--r-- 1 root root 0 Dec 7 12:45 tasks
#we can see instance-00000121's devices.list, and we can mknod /dev/kvm in instance-00000121
root@openstack:
c 10:* rwm
c 1:3 rwm
c 1:5 rwm
c 1:7 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 5:2 rwm
c 136:* rwm
#change the device list of instance-00000121 and resee the device list,and now we CAN NOT mknod /dev/kvm
root@openstack:
root@openstack:
c 1:3 rwm
c 1:5 rwm
c 1:7 rwm
c 1:8 rwm
c 1:9 rwm
c 5:0 rwm
c 5:2 rwm
c 136:* rwm
memory limit and cpu share can did the same thing,and if i use native lxc,the same problem will appear,
have i reported the right bug in the right place?
Changed in nova: | |
status: | New → Confirmed |
tags: | added: lxc |
information type: | Private Security → Public |
tags: | added: nova |
Changed in openstack-manuals: | |
assignee: | nobody → Anne Gentle (annegentle) |
Thanks, this is because per-container apparmor policies are not yet enabled in libvirt-lxc, as they are in lxc.
This can be solved either with apparmor, or (sometime before 14.04) with user namespaces.