[MIR] lxcfs
Bug #1413405 reported by
Stéphane Graber
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxcfs (Ubuntu) |
Fix Released
|
Undecided
|
Serge Hallyn |
Bug Description
lxcfs is a dependency of the LXC for containers running systemd.
As a result, it is required to run modern Ubuntu or Debian (or any systemd powered distro) within LXC
Availability: currently in universe (version 0.3)
Rationale: required for systemd containers in LXC
Security: no open bugs in LP, actively maintained, no CVE. Ships a daemon running as root, mounts a fuse filesystem and uses cgmanager for access checks.
Quality: actively maintained upstream, though very young project
Dependencies: all depends are in main
Standards: compliant
Maintenance: actively maintained by upstream
The ~ubuntu-lxc team is subscribed to bug mail for this package.
Related branches
Changed in lxcfs (Ubuntu): | |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in lxcfs (Ubuntu): | |
assignee: | Jamie Strandboge (jdstrand) → Seth Arnold (seth-arnold) |
Changed in lxcfs (Ubuntu): | |
assignee: | Seth Arnold (seth-arnold) → Tyler Hicks (tyhicks) |
status: | New → In Progress |
Changed in lxcfs (Ubuntu): | |
assignee: | Stéphane Graber (stgraber) → Serge Hallyn (serge-hallyn) |
To post a comment you must log in.
I've reviewed lxcfs 0.7-0ubuntu2 in Vivid. Due to time-constraints, this should not be considered a full audit. I focused on common mistakes in C and any interesting pieces of code that caught my eye. Here are some of the more important pieces from my notes:
* lxcfs provides "A cgroupfs-like tree which is container aware and works using CGManager." and "A set of files which can be bind-mounted over their /proc originals to provide CGroup-aware values."
* No CVE history (the project is very young)
* Minimal build deps (libcmanager and libfuse are the only notables)
* lxcfs is a root owned fuse daemon
- Uses libfuse to daemonize
* Test suite consists of two simple tests (one for the cgroup subdir and one for the proc subdir) that are packaged as autopkgtests
* Packaging is clean and simple
* The build is clean
There is one issue that could be addressed:
* Technically, the memory pointed to by the 'd' pointer is never freed from
main() in lxcfs.c. This is not an issue in practice but would be nice to
silence the warning from cppcheck and probably other checkers.
There is one issue that must be addressed:
* In many of the lxcfs_ops functions, the matching of the /cgroup path _from_path( ) verifying that the freezer/ a/b" being treated as a
component is a little off. The strncmp() is limited to only the first 7 chars
and then there's nothing in pick_controller
8th char is a '/'. This results in "/cgroup@
valid path.
There is one open question that I have:
* In pid_to_ ns_wrapper( ), you access /proc/<PID>/ns/pid, where <PID> comes from to_ns_wrapper( ) is not accessing the ns of a recycled pid.
the struct fuse_context that is initially passed into lxcfs_read(). Is that
process pinned for the lifetime of the lxcfs_read() or could it be recycled
in the middle of the lxcfs_read()? We need to be sure that
pid_
Once the "/cgroup" strncmp() matching issue is fixed and pid_to_ns_wrapper() is deemed safe, lxcfs gets a Security Team ack for main. It is a complex solution for a complicated problem but I'm very confident that the containers team will quickly address any issues discovered in the future. Thanks!