This bug was fixed in the package libvirt - 1.2.8-0ubuntu1
---
libvirt (1.2.8-0ubuntu1) utopic; urgency=medium
[ Chuck Short ]
* New upstream release: (LP: #1367422)
+ Dropped:
- debian/patches/ovs-delete-port-if-exists-while-adding-new-one
+ Refreshed:
-
This bug was fixed in the package libvirt - 1.2.8-0ubuntu1
---
libvirt (1.2.8-0ubuntu1) utopic; urgency=medium
[ Chuck Short ]
* New upstream release: (LP: #1367422)
+ Dropped:
- debian/patches/ovs-delete-port-if-exists-while-adding-new-one
+ Refreshed:
-
Reviewed: https://review.openstack.org/18788
Committed:
http://github.com/openstack/openstack-manuals/commit/6b188da11ca022a98463cdcd1652b919c5db74dc
Submitter: Jenkins
Branch:master
commit 6b188da11ca022a98463cdcd1652b919c5db74dc
Author: annegentle a...@openstack.org
Date: Mon Dec 31
Note that the OpenStack Security Group (OSSG) might also issue a
security notice about that.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1088295
Title:
lxc container can control other
Reviewed: https://review.openstack.org/18788
Committed:
http://github.com/openstack/openstack-manuals/commit/6b188da11ca022a98463cdcd1652b919c5db74dc
Submitter: Jenkins
Branch:master
commit 6b188da11ca022a98463cdcd1652b919c5db74dc
Author: annegentle a...@openstack.org
Date: Mon Dec 31
https://review.openstack.org/#/c/18788/
** Changed in: openstack-manuals
Status: Confirmed = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1088295
Title:
lxc container can
** Changed in: openstack-manuals
Assignee: (unassigned) = Anne Gentle (annegentle)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1088295
Title:
lxc container can control other container's cpu
Yes that needs to be pretty apparent from our documentation. I'm
creating a doc task for that...
** Project changed: nova = openstack-manuals
** Changed in: openstack-manuals
Importance: Undecided = High
** Changed in: openstack-manuals
Status: Incomplete = Confirmed
--
You received
** Tags added: nova
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1088295
Title:
lxc container can control other container's cpu share,memory limit,or
access of block and character devices
To
Quoting Daniel Berrange (1088...@bugs.launchpad.net):
Serge: is there anything we can do on the Nova side of things ? Looks
like this has security implications ?
Providing sVirt support in libvirt, mitigates against the lack of
security for containers in the kernel, but this is at best a
Serge: is there anything we can do on the Nova side of things ? Looks
like this has security implications ?
Providing sVirt support in libvirt, mitigates against the lack of
security for containers in the kernel, but this is at best a band-aid.
Ultimately, we need the usernamespace work
Serge: is there anything we can do on the Nova side of things ? Looks
like this has security implications ?
** Changed in: nova
Status: Confirmed = Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
It definately has security implications. The apparmor profile is the
primary way we protect the host from a guest with the lxc package (which
openstack does not use), preventing things like writing to /proc/sysrq-
trigger.
Nova could move containers into a container apparmor profile itself
after
Quoting Lawrance (liuq...@windawn.com):
thanks for your rapid reply.
sorry, i'm newbie to appamor
1. what i should do is to create a appamor policy for
/usr/lib/libvirt/libvirt_lxc or anything else?
libvirt_lxc sets up the container which requires much more privilege than
the container
thanks Serge,i’ll try
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1088295
Title:
lxc container can control other container's cpu share,memory limit,or
access of block and character devices
Thanks, this is because per-container apparmor policies are not yet
enabled in libvirt-lxc, as they are in lxc.
This can be solved either with apparmor, or (sometime before 14.04) with
user namespaces.
** Also affects: libvirt (Ubuntu)
Importance: Undecided
Status: New
** Changed in:
thanks for your rapid reply.
sorry, i'm newbie to appamor
1. what i should do is to create a appamor policy for
/usr/lib/libvirt/libvirt_lxc or anything else?
2. how can i do per-container apparmor policies
3. could i refer below appamor policy for lxc
root@superstack:~# cat
17 matches
Mail list logo