[lxc-devel] [lxd/master] Documentation fixes
stgraber on Github
lxc-bot at linuxcontainers.org
Mon Jan 7 17:46:59 UTC 2019
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 301 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20190107/b5330c28/attachment.bin>
-------------- next part --------------
From 6a5d5c644987f1c98ae1cb7d04ddc75ec6c62975 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 7 Jan 2019 18:07:08 +0100
Subject: [PATCH 1/2] doc: Cleanup security.md
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- Remove section about potential future features
- s/ssh/SSH/
- Add details about "lxc config trust add"
Closes #5386
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
doc/security.md | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/doc/security.md b/doc/security.md
index 17bacdc9a5..4070bb9f01 100644
--- a/doc/security.md
+++ b/doc/security.md
@@ -5,9 +5,9 @@ socket and access is restricted by socket ownership and mode.
Remote communications with the LXD daemon happen using JSON over HTTPS.
The supported protocol must be TLS1.2 or better.
+
All communications must use perfect forward secrecy and ciphers must be
-limited to strong elliptic curve ones (such as ECDHE-RSA or
-ECDHE-ECDSA).
+limited to strong elliptic curve ones (such as ECDHE-RSA or ECDHE-ECDSA).
Any generated key should be at least 4096bit RSA and when using
signatures, only SHA-2 signatures should be trusted.
@@ -38,15 +38,9 @@ it matches, the client certificate is added to the server's trust store
and the client can now connect to the server without having to provide
any additional credentials.
-This is a workflow that's very similar to that of ssh where an initial
+This is a workflow that's very similar to that of SSH where an initial
connection to an unknown server triggers a prompt.
-A possible extension to that is to support something similar to ssh's
-fingerprint in DNS feature where the certificate fingerprint is added as
-a TXT record, then if the domain is signed by DNSSEC, the client will
-automatically accept the fingerprint if it matches that in the DNS
-record.
-
## Adding a remote with a PKI based setup
In the PKI setup, a system administrator is managing a central PKI, that
PKI then issues client certificates for all the lxc clients and server
@@ -94,11 +88,14 @@ presenting the token received from the authentication server. The LXD server
verifies the token, thus authenticating the request. The token is stored as
cookie and is presented by the client at each request to LXD.
-
## Managing trusted clients
The list of certificates trusted by a LXD server can be obtained with `lxc
config trust list`.
+Clients can manually be added using `lxc config trust add <file>`,
+removing the need for a shared trust password by letting an existing
+administrator add the new client certificate directly to the trust store.
+
To revoke trust to a client its certificate can be removed with `lxc config
trust remove FINGERPRINT`.
From 477a1c3dd221433da09d9c8cd1c3bf480c9e1fb0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Mon, 7 Jan 2019 18:45:13 +0100
Subject: [PATCH 2/2] doc: Clarify measurement units
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Closes #5393
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
doc/containers.md | 50 +++++++++++++++++++++++++++++++++++++++++------
1 file changed, 44 insertions(+), 6 deletions(-)
diff --git a/doc/containers.md b/doc/containers.md
index 4881681949..9e4cef0bca 100644
--- a/doc/containers.md
+++ b/doc/containers.md
@@ -47,7 +47,7 @@ limits.cpu.allowance | string | 100% | yes
limits.cpu.priority | integer | 10 (maximum) | yes | - | CPU scheduling priority compared to other containers sharing the same CPUs (overcommit) (integer between 0 and 10)
limits.disk.priority | integer | 5 (medium) | yes | - | When under load, how much priority to give to the container's I/O requests (integer between 0 and 10)
limits.kernel.\* | string | - | no | kernel\_limits | This limits kernel resources per container (e.g. number of open files)
-limits.memory | string | - (all) | yes | - | Percentage of the host's memory or fixed value in bytes (supports kB, MB, GB, TB, PB and EB suffixes)
+limits.memory | string | - (all) | yes | - | Percentage of the host's memory or fixed value in bytes (various suffixes supported, see below)
limits.memory.enforce | string | hard | yes | - | If hard, container can't exceed its memory limit. If soft, the container can exceed its memory limit when extra host memory is available.
limits.memory.swap | boolean | true | yes | - | Whether to allow some of the container's memory to be swapped out to disk
limits.memory.swap.priority | integer | 10 (maximum) | yes | - | The higher this is set, the least likely the container is to be swapped to disk (integer between 0 and 10)
@@ -237,8 +237,8 @@ Different network interface types have different additional properties, the curr
Key | Type | Default | Required | Used by | API extension | Description
:-- | :-- | :-- | :-- | :-- | :-- | :--
nictype | string | - | yes | all | - | The device type, one of "bridged", "macvlan", "p2p", "physical", or "sriov"
-limits.ingress | string | - | no | bridged, p2p | - | I/O limit in bit/s for incoming traffic (supports kbit, Mbit, Gbit suffixes)
-limits.egress | string | - | no | bridged, p2p | - | I/O limit in bit/s for outgoing traffic (supports kbit, Mbit, Gbit suffixes)
+limits.ingress | string | - | no | bridged, p2p | - | I/O limit in bit/s for incoming traffic (various suffixes supported, see below)
+limits.egress | string | - | no | bridged, p2p | - | I/O limit in bit/s for outgoing traffic (various suffixes supported, see below)
limits.max | string | - | no | bridged, p2p | - | Same as modifying both limits.ingress and limits.egress
name | string | kernel assigned | no | all | - | The name of the interface inside the container
host\_name | string | randomly assigned | no | bridged, macvlan, p2p, sriov | - | The name of the interface inside the host
@@ -353,14 +353,14 @@ The following properties exist:
Key | Type | Default | Required | Description
:-- | :-- | :-- | :-- | :--
-limits.read | string | - | no | I/O limit in byte/s (supports kB, MB, GB, TB, PB and EB suffixes) or in iops (must be suffixed with "iops")
-limits.write | string | - | no | I/O limit in byte/s (supports kB, MB, GB, TB, PB and EB suffixes) or in iops (must be suffixed with "iops")
+limits.read | string | - | no | I/O limit in byte/s (various suffixes supported, see below) or in iops (must be suffixed with "iops")
+limits.write | string | - | no | I/O limit in byte/s (various suffixes supported, see below) or in iops (must be suffixed with "iops")
limits.max | string | - | no | Same as modifying both limits.read and limits.write
path | string | - | yes | Path inside the container where the disk will be mounted
source | string | - | yes | Path on the host, either to a file/directory or to a block device
optional | boolean | false | no | Controls whether to fail if the source doesn't exist
readonly | boolean | false | no | Controls whether to make the mount read-only
-size | string | - | no | Disk size in bytes (supports kB, MB, GB, TB, PB and EB suffixes). This is only supported for the rootfs (/).
+size | string | - | no | Disk size in bytes (various suffixes supported, see below). This is only supported for the rootfs (/).
recursive | boolean | false | no | Whether or not to recursively mount the source path
pool | string | - | no | The storage pool the disk device belongs to. This is only applicable for storage volumes managed by LXD.
propagation | string | - | no | Controls how a bind-mount is shared between the container and the host. (Can be one of `private`, the default, or `shared`, `slave`, `unbindable`, `rshared`, `rslave`, `runbindable`, `rprivate`. Please see the Linux Kernel [shared subtree](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt) documentation for a full explanation)
@@ -467,6 +467,44 @@ security.gid | int | 0 | no | What GID to drop p
lxc config device add <container> <device-name> proxy listen=<type>:<addr>:<port>[-<port>][,<port>] connect=<type>:<addr>:<port> bind=<host/container>
```
+## Units for storage and network limits
+Any value representing bytes or bits can make use of a number of useful
+suffixes to make it easier to understand what a particular limit is.
+
+Both decimal and binary (kibi) units are supported with the latter
+mostly making sense for storage limits.
+
+The full list of bit suffixes currently supported is:
+
+ - bit (1)
+ - kbit (1000)
+ - Mbit (1000^2)
+ - Gbit (1000^3)
+ - Tbit (1000^4)
+ - Pbit (1000^5)
+ - Ebit (1000^6)
+ - Kibit (1024)
+ - Mibit (1024^2)
+ - Gibit (1024^3)
+ - Tibit (1024^4)
+ - Pibit (1024^5)
+ - Eibit (1024^6)
+
+The full list of byte suffixes currently supported is:
+ - B or bytes (1)
+ - kB (1000)
+ - MB (1000^2)
+ - GB (1000^3)
+ - TB (1000^4)
+ - PB (1000^5)
+ - EB (1000^6)
+ - KiB (1024)
+ - MiB (1024^2)
+ - GiB (1024^3)
+ - TiB (1024^4)
+ - PiB (1024^5)
+ - EiB (1024^6)
+
## Instance types
LXD supports simple instance types. Those are represented as a string
which can be passed at container creation time.
More information about the lxc-devel
mailing list