launchpad-reviewers team mailing list archive

[Brad Crittenden <bac@xxxxxxxxxxxxx>]

Brad Crittenden has proposed merging lp:~bac/lpsetup/nested-lxc into lp:lpsetup.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~bac/lpsetup/nested-lxc/+merge/116726

Make changes to allow nested LXCs for integration testing.
-- 
https://code.launchpad.net/~bac/lpsetup/nested-lxc/+merge/116726
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~bac/lpsetup/nested-lxc into lp:lpsetup.

=== modified file 'README.rst'
--- README.rst	2012-07-24 18:27:40 +0000
+++ README.rst	2012-07-25 18:52:21 +0000
@@ -86,15 +86,14 @@
 
 There are two tests provided and each can run in either environment as
 long as you specify using the '-e' command line option.  The tests
-are:
-
-lpsetup/tests/integration/non-lxc.py
-lpsetup/tests/integration/juju-lxc.py
-
-The first only tests the *init-host* command but goes no further.
-The second tests *install-lxc*.  Due to bug 924281 (supposedly
-*fix-released* but still seen) this test cannot currently be run in an
-lxc container as it would require an lxc inside an lxc.
+are in lpsetup/tests/integration.
+
+The first, *test_init_host.py*, only tests the *init-host* command but
+goes no further.  The second, *test_install_lxc.py*, tests
+*install-lxc*.  If this test is run against a local LXC environment,
+some changes need are first required to the host machine where the
+test will be run.  Follow the instruction in the next section before
+launching the test.
 
 The tests bootstrap the environment for you and fail if it is already
 running.
@@ -106,6 +105,34 @@
         StrictHostKeyChecking no
         UserKnownHostsFile /dev/null
 
+Required changes for using nested LXC containers
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+In order to get nested LXCs working in precise a few work-arounds are
+required, mostly relating to apparmor.
+
+The description of what needs to be done is at:
+http://www.stgraber.org/2012/05/04/lxc-in-ubuntu-12-04-lts/
+
+For the testing scenario, the host machine must be manually changed
+once[1] with the following modifications:
+sudo cp lpsetup/templates/lxc-with-testing /etc/apparmor.d/lxc
+sudo /etc/init.d/apparmor reload
+sudo cp /usr/lib/lxc/templates/lxc-ubuntu /usr/lib/lxc/templates/lxc-ubuntu.orig
+sudo sed -i "s/#lxc.aa_profile = unconfined/lxc.aa_profile = lxc-container-with-nesting/" \
+   /usr/lib/lxc/templates/lxc-ubuntu
+
+Should you want to disallow the apparmor change made to the default
+ubuntu template:
+sudo mv /usr/lib/lxc/templates/lxc-ubuntu.orig \
+   /usr/lib/lxc/templates/lxc-ubuntu
+
+The other changes mentioned are handled by the test in the container
+launched by Juju.
+
+[1] If the *lxc* package changes such that the *ubuntu* template is
+modified, then the last two steps to update the template will be
+required to be performed again.
 
 Linting
 ~~~~~~~

=== added file 'lpsetup/templates/lxc-with-testing'
--- lpsetup/templates/lxc-with-testing	1970-01-01 00:00:00 +0000
+++ lpsetup/templates/lxc-with-testing	2012-07-25 18:52:21 +0000
@@ -0,0 +1,58 @@
+# Do not load this file.  Rather, load /etc/apparmor.d/lxc-containers, which
+# will source all profiles under /etc/apparmor.d/lxc
+
+# {installation_header}
+
+profile lxc-container-with-nesting flags=(attach_disconnected,mediate_deleted) {
+  network,
+  capability,
+  file,
+  umount,
+
+  # addition for container nesting
+  mount -> /sys/fs/cgroup/**,
+  mount fstype=proc -> /var/cache/lxc/**,
+  mount fstype=sysfs -> /var/cache/lxc/**,
+  mount fstype=devpts -> /dev/pts/,
+  mount -> /usr/lib/lxc/root/,
+  mount -> /usr/lib/lxc/root/**,
+  mount /dev/pts/ptmx/ -> /dev/ptmx/,
+  pivot_root,
+  change_profile -> lxc-*,
+
+  # ignore DENIED message on / remount
+  deny mount options=(ro, remount) -> /,
+
+  # allow tmpfs mounts everywhere
+  mount fstype=tmpfs,
+
+  # allow mqueue mounts everywhere
+  mount fstype=mqueue,
+
+  # allow bind mount of /lib/init/fstab for lxcguest
+  mount options=(rw, bind) /lib/init/fstab.lxc/ -> /lib/init/fstab/,
+
+  # deny writes in /proc/sys/fs but allow fusectl to be mounted
+  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
+  deny @{PROC}/sys/fs/** wklx,
+
+  # block some other dangerous paths
+  deny @{PROC}/sysrq-trigger rwklx,
+  deny @{PROC}/mem rwklx,
+  deny @{PROC}/kmem rwklx,
+  deny @{PROC}/sys/kernel/** wklx,
+
+  # deny writes in /sys except for /sys/fs/cgroup, also allow
+  # fusectl, securityfs and debugfs to be mounted there (read-only)
+  mount fstype=fusectl -> /sys/fs/fuse/connections/,
+  mount fstype=securityfs -> /sys/kernel/security/,
+  mount fstype=debugfs -> /sys/kernel/debug/,
+  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
+  mount fstype=proc -> /proc/,
+  mount fstype=sysfs -> /sys/,
+  deny /sys/[^f]*/** wklx,
+  deny /sys/f[^s]*/** wklx,
+  deny /sys/fs/[^c]*/** wklx,
+  deny /sys/fs/c[^g]*/** wklx,
+  deny /sys/fs/cg[^r]*/** wklx,
+}

=== modified file 'lpsetup/tests/integration/test_install_lxc.py'
--- lpsetup/tests/integration/test_install_lxc.py	2012-07-25 13:11:25 +0000
+++ lpsetup/tests/integration/test_install_lxc.py	2012-07-25 18:52:21 +0000
@@ -73,6 +73,12 @@
     def set_up(self):
         super(InstallLXCTest, self).set_up()
         self.on_remote('cd lpsetup; sudo python setup.py install')
+        # The installation of `lxc` is redundant as init-lxc does it but
+        # required to get the nested LXC work-around to work.
+        self.on_remote('sudo apt-get -y install lxc')
+        self.on_remote('sudo stop lxc')
+        self.on_remote('sudo sed -i "s/10.0.3/10.0.4/g" /etc/default/lxc')
+        self.on_remote('sudo start lxc')
 
     def do_test(self):
         """Run an end-to-end integration tests of the LXC lpsetup story."""