← Back to team overview

touch-packages team mailing list archive

  1. touch-packages team
  2. Mailing list archive
  3. Message #70706

[Bug 1445064] [NEW] Re-implement container crash forwarding

  Thread PreviousDate PreviousThread Next 
Public bug reported:

The container crash forwarding feature must be re-implemented to use a
safe design.

The current thought is:
 - Introduce a systemd unit and upstart job to have a socket activated apport crash handler
 - When a crash comes from a container, have apport connect to the socket in the crashed process' root, write the arguments it received to the socket.
 - The crash handler in the container will then run and close the socket when it doesn't need the crashed process anymore.
 - The host crash handler then exits.

This means that we only rely on an accessible root directory for the
crashed process and the crash handler will be spawned by init inside
that container. This makes it safe for privileged and unprivileged
containers.

As an extra security measure, rate limiting should be added so that we
can only have 10 in-flight crashes and that any crash taking more than
30s to be handled get cancelled (preventing host DoS).

** Affects: apport (Ubuntu)
     Importance: Wishlist
     Assignee: Stéphane Graber (stgraber)
         Status: Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apport in Ubuntu.
https://bugs.launchpad.net/bugs/1445064

Title:
  Re-implement container crash forwarding

Status in apport package in Ubuntu:
  Triaged

Bug description:
  The container crash forwarding feature must be re-implemented to use a
  safe design.

  The current thought is:
   - Introduce a systemd unit and upstart job to have a socket activated apport crash handler
   - When a crash comes from a container, have apport connect to the socket in the crashed process' root, write the arguments it received to the socket.
   - The crash handler in the container will then run and close the socket when it doesn't need the crashed process anymore.
   - The host crash handler then exits.

  This means that we only rely on an accessible root directory for the
  crashed process and the crash handler will be spawned by init inside
  that container. This makes it safe for privileged and unprivileged
  containers.

  As an extra security measure, rate limiting should be added so that we
  can only have 10 in-flight crashes and that any crash taking more than
  30s to be handled get cancelled (preventing host DoS).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/1445064/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next