migrate lxc android container to lxd
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical System Image |
Invalid
|
Undecided
|
You-Sheng Yang | ||
lxc-android-config (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned | ||
urfkill (Ubuntu) |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Several things to do here:
* include lxd, lxd-client in default installation,
* writable path for lxd: lxd resides at /var/lib/lxd and it takes write permission to fully function,
* migrate lxc tmpfs-based rootfs to lxd image, lxc configs to lxd profiles, etc.,
* migrate systemd service definitions, etc.
[Steps to reproduce current setup]
0. rebuild avila kernel with additional patches from https:/
1. follow bug 1641505 and https:/
2. add /var/lib/lxd to writable paths, install lxd and lxd-client, and then reboot the device so that writable path may take effect.
3. initialize lxd. This can take a while (2 minutes for me).
$ sudo lxd init --auto
4. apply changes from https:/
Related branches
- Ubuntu Phablet Team: Pending requested
-
Diff: 120 lines (+71/-6)5 files modifieddebian/control (+2/-0)
debian/lxc-android-config.service (+7/-6)
etc/system-image/writable-paths (+2/-0)
lib/systemd/system/urfkill.service.d/lxc-android-config.conf (+3/-0)
usr/lib/lxc-android-config/create-lxd-image (+57/-0)
- Alfonso Sanchez-Beato: Approve
-
Diff: 353 lines (+90/-39)5 files modifiedinclude/linux/audit.h (+1/-1)
kernel/audit.c (+68/-25)
kernel/audit.h (+9/-4)
kernel/auditfilter.c (+11/-8)
security/commoncap.c (+1/-1)
description: | updated |
tags: | added: lxd systemd |
Changed in canonical-devices-system-image: | |
milestone: | none → x1 |
Changed in canonical-devices-system-image: | |
assignee: | nobody → Vicamo Yang (vicamo) |
status: | New → Confirmed |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in urfkill (Ubuntu): | |
status: | New → Won't Fix |
Changed in lxc-android-config (Ubuntu): | |
status: | New → Won't Fix |
Changed in canonical-devices-system-image: | |
status: | Confirmed → Invalid |
Again, avila's kernel is pretty outdated, and its user namespace support is so poor that it's actually mis-behave on a certain security related operations.
In security/ commoncap. c, function cap_prctl_drop, it should check `ns_capable(...)`, not just `capable(...)`. See https:/ /github. com/lxc/ lxd/issues/ 2039 . At lease commit 160da84 "userns: Allow PR_CAPBSET_DROP in a user namespace" has to be cherry-picked, but besides that, I also found a lot similar places to be fixed.