[FFE] add pre-mount container startup hook

Bug #1043052 reported by Serge Hallyn
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Medium
Unassigned

Bug Description

It is possible to use an ecryptfs backing store for a container's rootfs. Advantages include the inability of unprivileged processes to see the container's file contents, and, if the host is a cloud instance, confidence that when disk space is recycled for a new instance, container data will be scrambled.

To do this right, the container rootfs should be mounted in the container's namespace (so after clone(2)) and before its rootfs is mounted. That requires a new hook, 'pre-start'.

This hook is trivial to add. The patch to add it will be attached to this bug for the release team's review.

Related branches

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :
Changed in lxc (Ubuntu):
importance: Undecided → Medium
Revision history for this message
Stéphane Graber (stgraber) wrote :

This hook will be useful to a lot of users and doesn't change anything by default. The code has been around for a while, is simple and can't cause any obvious regression.

Granting the FFe.

Changed in lxc (Ubuntu):
status: New → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 0.8.0~rc1-4ubuntu33

---------------
lxc (0.8.0~rc1-4ubuntu33) quantal; urgency=low

  [ Serge Hallyn ]
  * 0206-lxc-wait-initialize-timeout: initialize timeout to -1 so lxc-wait
    will, by default, wait for the container to enter the requested state.
  * debian/patches/compilecleanups/* - fix compile time warnings.
  * lxc.lxc-net.upstart: tell iptables not to masquerate packets between
    containers. (LP: #1045947)
  * 0208-fix-getitem-utsname-segv: fix seg fault when doing get_item(utsname)
    on newly created container.
  * 0209-reload-conf-after-create: add ability to free a lxc_conf. Use that
    after calling Container->Create() to completely reload the newly created
    config.
  * 0211-add-hooks-to-manpage: document lxc.hook in the lxc.conf manpage.
  * 0212-lxc-destroy-rm-symlink: If rootfs is a symbolic link to a directory,
    remove it. (LP: #1046117)
  * 0213-add-premount-hook.patch: add a premount hook to support encrypted
    filesystems. (LP: #1043052)

  [ Scott Moser ]
  * 0207-ubuntu-cloud-fixes.patch: cleanups to lxc-ubuntu-cloud.in
    fix for quantal images that do not have user 'ubuntu' present
    (LP: #1045955)

  [ Rex Tsai ]
  * 0210-fix-debian-templates: Fix lxc-shutdown/lxc-restart in Debian
    containers and fix lxc.utsname for lenny containers.
    (LP: #1046684, LP: #1046696)

  [ Stéphane Graber ]
  * lxc.lxc-net.upstart: Make the iptables call more consistent (LP: #1045947)
 -- Serge Hallyn <email address hidden> Thu, 30 Aug 2012 11:32:06 -0500

Changed in lxc (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers