[lxc-devel] [lxd/master] Documentation fixes

stgraber on Github lxc-bot at linuxcontainers.org
Mon Jan 7 17:46:59 UTC 2019


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190107/b5330c28/attachment.bin>
-------------- next part --------------
From 6a5d5c644987f1c98ae1cb7d04ddc75ec6c62975 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 7 Jan 2019 18:07:08 +0100
Subject: [PATCH 1/2] doc: Cleanup security.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

 - Remove section about potential future features
 - s/ssh/SSH/
 - Add details about "lxc config trust add"

Closes #5386

Signed-off-by: St├ęphane Graber <stgraber at ubuntu.com>
---
 doc/security.md | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/doc/security.md b/doc/security.md
index 17bacdc9a5..4070bb9f01 100644
--- a/doc/security.md
+++ b/doc/security.md
@@ -5,9 +5,9 @@ socket and access is restricted by socket ownership and mode.
 
 Remote communications with the LXD daemon happen using JSON over HTTPS.
 The supported protocol must be TLS1.2 or better.
+
 All communications must use perfect forward secrecy and ciphers must be
-limited to strong elliptic curve ones (such as ECDHE-RSA or
-ECDHE-ECDSA).
+limited to strong elliptic curve ones (such as ECDHE-RSA or ECDHE-ECDSA).
 
 Any generated key should be at least 4096bit RSA and when using
 signatures, only SHA-2 signatures should be trusted.
@@ -38,15 +38,9 @@ it matches, the client certificate is added to the server's trust store
 and the client can now connect to the server without having to provide
 any additional credentials.
 
-This is a workflow that's very similar to that of ssh where an initial
+This is a workflow that's very similar to that of SSH where an initial
 connection to an unknown server triggers a prompt.
 
-A possible extension to that is to support something similar to ssh's
-fingerprint in DNS feature where the certificate fingerprint is added as
-a TXT record, then if the domain is signed by DNSSEC, the client will
-automatically accept the fingerprint if it matches that in the DNS
-record.
-
 ## Adding a remote with a PKI based setup
 In the PKI setup, a system administrator is managing a central PKI, that
 PKI then issues client certificates for all the lxc clients and server
@@ -94,11 +88,14 @@ presenting the token received from the authentication server.  The LXD server
 verifies the token, thus authenticating the request.  The token is stored as
 cookie and is presented by the client at each request to LXD.
 
-
 ## Managing trusted clients
 The list of certificates trusted by a LXD server can be obtained with `lxc
 config trust list`.
 
+Clients can manually be added using `lxc config trust add <file>`,
+removing the need for a shared trust password by letting an existing
+administrator add the new client certificate directly to the trust store.
+
 To revoke trust to a client its certificate can be removed with `lxc config
 trust remove FINGERPRINT`.
 

From 477a1c3dd221433da09d9c8cd1c3bf480c9e1fb0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 7 Jan 2019 18:45:13 +0100
Subject: [PATCH 2/2] doc: Clarify measurement units
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #5393

Signed-off-by: St├ęphane Graber <stgraber at ubuntu.com>
---
 doc/containers.md | 50 +++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 44 insertions(+), 6 deletions(-)

diff --git a/doc/containers.md b/doc/containers.md
index 4881681949..9e4cef0bca 100644
--- a/doc/containers.md
+++ b/doc/containers.md
@@ -47,7 +47,7 @@ limits.cpu.allowance                    | string    | 100%              | yes
 limits.cpu.priority                     | integer   | 10 (maximum)      | yes           | -                                    | CPU scheduling priority compared to other containers sharing the same CPUs (overcommit) (integer between 0 and 10)
 limits.disk.priority                    | integer   | 5 (medium)        | yes           | -                                    | When under load, how much priority to give to the container's I/O requests (integer between 0 and 10)
 limits.kernel.\*                        | string    | -                 | no            | kernel\_limits                       | This limits kernel resources per container (e.g. number of open files)
-limits.memory                           | string    | - (all)           | yes           | -                                    | Percentage of the host's memory or fixed value in bytes (supports kB, MB, GB, TB, PB and EB suffixes)
+limits.memory                           | string    | - (all)           | yes           | -                                    | Percentage of the host's memory or fixed value in bytes (various suffixes supported, see below)
 limits.memory.enforce                   | string    | hard              | yes           | -                                    | If hard, container can't exceed its memory limit. If soft, the container can exceed its memory limit when extra host memory is available.
 limits.memory.swap                      | boolean   | true              | yes           | -                                    | Whether to allow some of the container's memory to be swapped out to disk
 limits.memory.swap.priority             | integer   | 10 (maximum)      | yes           | -                                    | The higher this is set, the least likely the container is to be swapped to disk (integer between 0 and 10)
@@ -237,8 +237,8 @@ Different network interface types have different additional properties, the curr
 Key                     | Type      | Default           | Required  | Used by                           | API extension                          | Description
 :--                     | :--       | :--               | :--       | :--                               | :--                                    | :--
 nictype                 | string    | -                 | yes       | all                               | -                                      | The device type, one of "bridged", "macvlan", "p2p", "physical", or "sriov"
-limits.ingress          | string    | -                 | no        | bridged, p2p                      | -                                      | I/O limit in bit/s for incoming traffic (supports kbit, Mbit, Gbit suffixes)
-limits.egress           | string    | -                 | no        | bridged, p2p                      | -                                      | I/O limit in bit/s for outgoing traffic (supports kbit, Mbit, Gbit suffixes)
+limits.ingress          | string    | -                 | no        | bridged, p2p                      | -                                      | I/O limit in bit/s for incoming traffic (various suffixes supported, see below)
+limits.egress           | string    | -                 | no        | bridged, p2p                      | -                                      | I/O limit in bit/s for outgoing traffic (various suffixes supported, see below)
 limits.max              | string    | -                 | no        | bridged, p2p                      | -                                      | Same as modifying both limits.ingress and limits.egress
 name                    | string    | kernel assigned   | no        | all                               | -                                      | The name of the interface inside the container
 host\_name              | string    | randomly assigned | no        | bridged, macvlan, p2p, sriov      | -                                      | The name of the interface inside the host
@@ -353,14 +353,14 @@ The following properties exist:
 
 Key             | Type      | Default           | Required  | Description
 :--             | :--       | :--               | :--       | :--
-limits.read     | string    | -                 | no        | I/O limit in byte/s (supports kB, MB, GB, TB, PB and EB suffixes) or in iops (must be suffixed with "iops")
-limits.write    | string    | -                 | no        | I/O limit in byte/s (supports kB, MB, GB, TB, PB and EB suffixes) or in iops (must be suffixed with "iops")
+limits.read     | string    | -                 | no        | I/O limit in byte/s (various suffixes supported, see below) or in iops (must be suffixed with "iops")
+limits.write    | string    | -                 | no        | I/O limit in byte/s (various suffixes supported, see below) or in iops (must be suffixed with "iops")
 limits.max      | string    | -                 | no        | Same as modifying both limits.read and limits.write
 path            | string    | -                 | yes       | Path inside the container where the disk will be mounted
 source          | string    | -                 | yes       | Path on the host, either to a file/directory or to a block device
 optional        | boolean   | false             | no        | Controls whether to fail if the source doesn't exist
 readonly        | boolean   | false             | no        | Controls whether to make the mount read-only
-size            | string    | -                 | no        | Disk size in bytes (supports kB, MB, GB, TB, PB and EB suffixes). This is only supported for the rootfs (/).
+size            | string    | -                 | no        | Disk size in bytes (various suffixes supported, see below). This is only supported for the rootfs (/).
 recursive       | boolean   | false             | no        | Whether or not to recursively mount the source path
 pool            | string    | -                 | no        | The storage pool the disk device belongs to. This is only applicable for storage volumes managed by LXD.
 propagation     | string    | -                 | no        | Controls how a bind-mount is shared between the container and the host. (Can be one of `private`, the default, or `shared`, `slave`, `unbindable`,  `rshared`, `rslave`, `runbindable`,  `rprivate`. Please see the Linux Kernel [shared subtree](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) documentation for a full explanation)
@@ -467,6 +467,44 @@ security.gid    | int       | 0                 | no        | What GID to drop p
 lxc config device add <container> <device-name> proxy listen=<type>:<addr>:<port>[-<port>][,<port>] connect=<type>:<addr>:<port> bind=<host/container>
 ```
 
+## Units for storage and network limits
+Any value representing bytes or bits can make use of a number of useful
+suffixes to make it easier to understand what a particular limit is.
+
+Both decimal and binary (kibi) units are supported with the latter
+mostly making sense for storage limits.
+
+The full list of bit suffixes currently supported is:
+
+ - bit (1)
+ - kbit (1000)
+ - Mbit (1000^2)
+ - Gbit (1000^3)
+ - Tbit (1000^4)
+ - Pbit (1000^5)
+ - Ebit (1000^6)
+ - Kibit (1024)
+ - Mibit (1024^2)
+ - Gibit (1024^3)
+ - Tibit (1024^4)
+ - Pibit (1024^5)
+ - Eibit (1024^6)
+
+The full list of byte suffixes currently supported is:
+ - B or bytes (1)
+ - kB (1000)
+ - MB (1000^2)
+ - GB (1000^3)
+ - TB (1000^4)
+ - PB (1000^5)
+ - EB (1000^6)
+ - KiB (1024)
+ - MiB (1024^2)
+ - GiB (1024^3)
+ - TiB (1024^4)
+ - PiB (1024^5)
+ - EiB (1024^6)
+
 ## Instance types
 LXD supports simple instance types. Those are represented as a string
 which can be passed at container creation time.


More information about the lxc-devel mailing list