This bug was fixed in the package libvirt - 1.2.8-0ubuntu1
---
libvirt (1.2.8-0ubuntu1) utopic; urgency=medium
[ Chuck Short ]
* New upstream release: (LP: #1367422)
+ Dropped:
- debian/patches/ovs-delete-port-if-exists-while-adding-new-one
+ Refreshed:
- debi
Reviewed: https://review.openstack.org/18788
Committed:
http://github.com/openstack/openstack-manuals/commit/6b188da11ca022a98463cdcd1652b919c5db74dc
Submitter: Jenkins
Branch:master
commit 6b188da11ca022a98463cdcd1652b919c5db74dc
Author: annegentle
Date: Mon Dec 31 14:38:36 2012 -0600
Note that the OpenStack Security Group (OSSG) might also issue a
security notice about that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1088295
Title:
lxc container can control other container's
https://review.openstack.org/#/c/18788/
** Changed in: openstack-manuals
Status: Confirmed => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1088295
Title:
lxc container can contr
** Changed in: openstack-manuals
Assignee: (unassigned) => Anne Gentle (annegentle)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1088295
Title:
lxc container can control other container's cpu
** Tags added: nova
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1088295
Title:
lxc container can control other container's cpu share,memory limit,or
access of block and character devices
To m
Yes that needs to be pretty apparent from our documentation. I'm
creating a doc task for that...
** Project changed: nova => openstack-manuals
** Changed in: openstack-manuals
Importance: Undecided => High
** Changed in: openstack-manuals
Status: Incomplete => Confirmed
--
You receiv
Quoting Daniel Berrange (1088...@bugs.launchpad.net):
> > Serge: is there anything we can do on the Nova side of things ? Looks
> like this has security implications ?
>
> Providing sVirt support in libvirt, mitigates against the lack of
> security for containers in the kernel, but this is at best
> Serge: is there anything we can do on the Nova side of things ? Looks
like this has security implications ?
Providing sVirt support in libvirt, mitigates against the lack of
security for containers in the kernel, but this is at best a band-aid.
Ultimately, we need the usernamespace work complete
It definately has security implications. The apparmor profile is the
primary way we protect the host from a guest with the lxc package (which
openstack does not use), preventing things like writing to /proc/sysrq-
trigger.
Nova could move containers into a container apparmor profile itself
after
Serge: is there anything we can do on the Nova side of things ? Looks
like this has security implications ?
** Changed in: nova
Status: Confirmed => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launch
thanks Serge,i’ll try
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1088295
Title:
lxc container can control other container's cpu share,memory limit,or
access of block and character devices
To
Quoting Lawrance (liuq...@windawn.com):
> thanks for your rapid reply.
> sorry, i'm newbie to appamor
>
> 1. what i should do is to create a appamor policy for
> /usr/lib/libvirt/libvirt_lxc or anything else?
libvirt_lxc sets up the container which requires much more privilege than
the containe
thanks for your rapid reply.
sorry, i'm newbie to appamor
1. what i should do is to create a appamor policy for
/usr/lib/libvirt/libvirt_lxc or anything else?
2. how can i do per-container apparmor policies
3. could i refer below appamor policy for lxc
root@superstack:~# cat /etc/apparmor.d/lxc
Thanks, this is because per-container apparmor policies are not yet
enabled in libvirt-lxc, as they are in lxc.
This can be solved either with apparmor, or (sometime before 14.04) with
user namespaces.
** Also affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
** Changed in: l
15 matches
Mail list logo