[lxc-devel] Release plan for LXC 1.1 (and systemd)

Stéphane Graber stgraber at ubuntu.com
Wed Nov 26 15:51:15 UTC 2014


Hello,

So we've now been working on 1.1 for a LONG time and indeed got quite a
few nice things in there.

I think it's now time to focus on the last few bits and then release
that thing and focus on LXC 1.2.

My current plan is for alpha3 to be tagged next week and then rc
releases in December with a release in early January.


The main blocker for this release is systemd support. I want LXC 1.1 to
support both privileged and unprivileged systemd using recent systemd
(there's only so much we can do about the old one) and running in a safe
way (so no disabling apparmor profiles).

The current plan to achieve this (and I'm only focusing on unprivileged
as privileged will then magically work too) is:
 1) Implement a minimal lxc.autodev for unprivileged containers, where
    rather than mknodding in /dev/.lxc it'll just mount a tmpfs on top of
    the container's /dev, then bind-mount the usual set of devices from the
    host's /dev.
 2) Use init system detection to turn on lxc.autodev, disable lxc.kmsg
    and set an appropriate lxc.mount.auto if the container's init system is
    systemd (this would only change the default values of both options, any
    entry in the config would still override).
 3) Implement a minimal lxc.init_cmd configuration option which lets the
    user override the default (/sbin/init) command for the container.
 4) Get lxfs (formerly cgmanagerfs, formerly lxcfs) working properly so
    that if installed, /sys/fs/cgroup in a container is a fuse filesystem
    returning you the cgroupfs view that the container expects.

I've got a hack to simulate 1) here as well as a prototype of 4) which
lets me boot an unprivileged systemd container on my system all the way
to a login prompt. Unfortunately my hackish lxfs implementation in
python then segfaults and everything falls apart, but that shows that
the concept is valid :)

We had a chat with Lennart at Linux Plumbers 2014 and the systemd team
is currently working on getting systemd to run in an environment where
cap_sys_admin was dropped. That environment being even more harsh than
an unprivileged container, any issue we still find with systemd after we
implement the plan above should be discussed with systemd upstream
before we look into any workaround.


I'm going to be working on some of those over the next few weeks, but
any help would be greatly appreciated as I'll also be travelling and so
my time will unfortunately be limited (especially as it'll be split
between this, the new website and some lxd work).


Thanks!

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20141126/8c1a8039/attachment.sig>


More information about the lxc-devel mailing list