TODO: consolidate nspawn items

Signed-off-by: Christian Brauner (Microsoft) <brauner@kernel.org>
2025-02-25 21:57:32 +03:00 · 2022-11-30 16:01:07 +01:00 · 2022-11-30 16:01:07 +01:00 · 71b77f0689
commit 71b77f0689
parent 28db63445c
1 changed files with 28 additions and 41 deletions
--- a/69
+++ b/69
@ -409,12 +409,6 @@ Features:
  ID from it securely. This would then allow us to bind secrets a specific
  system securely.
 * nspawn: maybe allow TPM passthrough, backed by swtpm, and measure --image=
  hash into its PCR 11, so that nspawn instances can be TPM enabled, and
  partake in measurements/remote attestation and such. swtpm would run outside
  of control of container, and ideally would itself bind its encryption keys to
  host TPM.
 * tree-wide: convert as much as possible over to use sd_event_set_signal_exit(), instead
  of manually hooking into SIGINT/SIGTERM
@ -827,11 +821,6 @@ Features:
  multiple versions are around of the same resource, show which ones. (in other
  words: show partition labels).
 * systemd-nspawn: make boot assessment do something sensible in a
  container. i.e send an sd_notify() from payload to container manager once
  boot-up is completed successfully, and use that in nspawn for dealing with
  boot counting, implemented in the partition table labels and directory names.
 * maybe add a generator that reads /proc/cmdline, looks for
  systemd.pull-raw-portable=, systemd-pull-raw-sysext= and similar switches
  that take an URL as parameter. It then generates service units for
@ -897,9 +886,6 @@ Features:
 * cryptsetup/homed: implement TOTP authentication backed by TPM2 and its
  internal clock.
 * nspawn: optionally set up nftables/iptables routes that forward UDP/TCP
  traffic on port 53 to resolved stub 127.0.0.54
 * man: rework os-release(5), and clearly separate our extension-release.d/ and
  initrd-release parts, i.e. list explicitly which fields are about what.
@ -1003,10 +989,6 @@ Features:
  for /home/, and similar. Similar add --image-dissect-policy= to tools that
  take --image= that take the same short string.
 * nspawn: maybe optionally insert .nspawn file as GPT partition into images, so
  that such container images are entirely stand-alone and can be updated as
  one.
 * we probably should extend the root verity hash of the root fs into some PCR
  on boot. (i.e. maybe add a veritytab option tpm2-measure=12 or so to measure
  it into PCR 12); Similar: we probably should extend the LUKS volume key of
@ -2220,13 +2202,34 @@ Features:
    PID 1...
  - optionally automatically add FORWARD rules to iptables whenever nspawn is
    running, remove them when shut down.
-
+  - add support for sysext extensions, too. i.e. a new --extension= switch that
-* nspawn: add support for sysext extensions, too. i.e. a new --extension=
+    takes one or more arguments, and applies the extensions already during
-  switch that takes one or more arguments, and applies the extensions already
+    startup.
-  during startup.
+  - when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU
-
+    or so, freeze the payload too.
-* when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU or
+  - support time namespaces
-  so, freeze the payload too.
+  - on cgroupsv1 issue cgroup empty handler process based on host events, so
    that we make cgroup agent logic safe
  - add API to invoke binary in container, then use that as fallback in
    "machinectl shell"
  - make nspawn suitable for shell pipelines: instead of triggering a hangup
    when input is finished, send ^D, which synthesizes an EOF. Then wait for
    hangup or ^D before passing on the EOF.
  - greater control over selinux label?
  - support that /proc, /sys/, /dev are pre-mounted
  - maybe allow TPM passthrough, backed by swtpm, and measure --image= hash
    into its PCR 11, so that nspawn instances can be TPM enabled, and partake
    in measurements/remote attestation and such. swtpm would run outside of
    control of container, and ideally would itself bind its encryption keys to
    host TPM.
  - make boot assessment do something sensible in a container. i.e send an
    sd_notify() from payload to container manager once boot-up is completed
    successfully, and use that in nspawn for dealing with boot counting,
    implemented in the partition table labels and directory names.
  - optionally set up nftables/iptables routes that forward UDP/TCP traffic on
    port 53 to resolved stub 127.0.0.54
  - maybe optionally insert .nspawn file as GPT partition into images, so that
    such container images are entirely stand-alone and can be updated as one.
 * machined: add API to acquire UID range. add API to mount/dissect loopback
  file. Both protected by PK. Then make nspawn use these APIs to run
@ -2234,22 +2237,6 @@ Features:
  so that the client side can remain entirely unprivileged, with SUID or
  anything like that.
 * nspawn: support time namespaces
 * nspawn: on cgroupsv1 issue cgroup empty handler process based on host events,
  so that we make cgroup agent logic safe
 * nspawn/machined: add API to invoke binary in container, then use that as
  fallback in "machinectl shell"
 * nspawn: make nspawn suitable for shell pipelines: instead of triggering a
  hangup when input is finished, send ^D, which synthesizes an EOF. Then wait
  for hangup or ^D before passing on the EOF.
 * nspawn: greater control over selinux label?
 * nspawn: support that /proc, /sys/, /dev are pre-mounted
 * machined:
  - add an API so that libvirt-lxc can inform us about network interfaces being
    removed or added to an existing machine