LXD 4.12 has been released

Introduction

The LXD team is very excited to announce the release of LXD 4.12!

Our headline feature for this release certainly is the introduction of network ACLs, currently limited to OVN networks but soon available to normal LXD bridges too.

But this release also introduces stateful stop and snapshot for virtual machines, a new ceph configuration option and a LOT of new features for project users.

Finally, the LXD team would like to thank Piotr Resztak for his great work tackling a number of new LXD features in this release.

Enjoy!

New features and highlights

Initial Network ACLs support (OVN-only)

LXD now has a network ACL (access control list) mechanism. With it, you can create any number of ACLs and assign them to entire networks or to specific instance NICs.

Each ACL may contain a set of ingress and egress rules as well as some configuration.

ACLs can also refer each other as a traffic source or destination, allowing for labeling of instances and using those labels in rules rather than having to track everything by address.

An example would be a network with 3 ACLs:

  • default (applied to the network), allows egress to common external services
  • web (applied to web servers), allows ingress on tcp port 80/443
  • database (applied to database servers) allows ingress on tcp port 5432 from servers in web

This can all be done through lxc network acl and then assigned to networks or instances through security.acls .

This is currently only supported on OVN networks. In LXD 4.13, we’re expecting this to be extended to managed LXD bridges through our xtables and nft firewall drivers, though some restrictions will likely be present.

Stateful stop and stateful snapshots for virtual machines

It is now possible to have LXD dump the running state of virtual machines to disk.
This allows for both lxc stop --stateful and lxc snapshot --stateful.

In the case of a stateful stop, the VM’s state is written to disk and then the emulator is terminated. When you want the VM running again, a simple lxc start will have the VM state restored and its execution resumed where it was stopped.

Similarly, a stateful snapshot records the VM running state at the time of the snapshot.
lxc restore --stateful can then be used to bring that VM back in time, including its runtime state.

This is particularly useful ahead of a host system restart as it allows for only limited interruption of the running VMs. You can also use lxc move to relocate such a VM and then resume its operation where it was stopped on another system (currently requires absolutely identical CPUs).

Those same mechanisms will be expanded in the near future to support live migration of VMs, further limiting downtime and adding a few more restrictions in place so the VM can be moved to slightly different CPUs.

To allow for this, the VM must have migration.stateful set to true and size.state set on its root disk device to allow for additional space to store the runtime state. In this mode, PCI passthrough will be disabled as will be virtiofs.

Project restricted certificates

It’s now possible to restrict specific certificates in the LXD trust store to specific projects. When this is done, the restricted certificate also gets a limited role preventing any impact on global configuration and preventing reconfiguration of the projects.

This is roughly equivalent to getting an operator role through Canonical’s RBAC service when used with LXD.

To manage that, new commands lxc config trust edit and lxc config trust show have been added. lxc config trust add was extended to support --restricted and --projects.

Server configuration options now supported at the project level

A number of global configuration options now have project-specific equivalents:

  • images.compression_algorithm
  • backups.compression_algorithm
  • images.remote_cache_expiry
  • images.auto_update_cache
  • images.auto_update_interval

When those are set in the project configuration, they override their respective value from the global configuration.

Projects can now restrict cluster targeting

Another project configuration key added in 4.12 is restricted.cluster.target.

When it’s set, non-admin users in restricted projects are no longer allowed to use cluster member targeting (--target). Administrators are still allowed to do it so they can perform manual cluster re-balance or node evacuation operations.

Configuration option for Ceph features

A new configuration option for Ceph storage pools was added.
ceph.rbd.features takes a comma separate list of RBD features to enable on new volumes. This replaces our previous hardcoded default of layering and allows enabling more recent Ceph features when all systems support them.

Projects now supported by lxd init --dump and --preseed

lxd init --dump now includes projects as part of its YAML output:

projects:
- config:
    features.images: "true"
    features.networks: "true"
    features.profiles: "true"
    features.storage.volumes: "true"
  description: Default LXD project
  name: default
- config:
    features.images: "true"
    features.profiles: "true"
    features.storage.volumes: "true"
  description: ""
  name: demo

And this can obviously be fed back to lxd init --preseed to configure a new server.

Initial auto-generated REST-API documentation

LXD is slowly moving over to Swagger for API documentation, replacing our manually updated REST API documentation.

Only some of the endpoints are currently covered, we’re expecting to finish this work in LXD 4.13. You can look at a preview here: Swagger UI

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • containers: simplify wstatus.Close() logic in Exec()
  • containers: reap zombies on attach failure
  • seccomp: block openat2()
  • lxd/instance/qemu/qmp: Add SendFile, Migrate and MigrateIncoming
  • lxd/instance/qemu/qmp: Add ping function
  • lxd/instance/qemu/qmp: Re-shuffle functions
  • lxd/instance/qemu/qmp: Rework run() function
  • lxd/instance/qemu/qmp: Update commands to use run()
  • lxd/network/network/utils: Fixes InterfaceExists to not return true if arg is empty string
  • lxd/device/nic/routed: Dont give sysctl read error when invalid value
  • lxd/device/nic/ipvlan: Dont give sysctl read error when invalid value
  • lxd/device/nic/ipvlan: network.InterfaceExists usage
  • lxd/device/nic/ipvlan: Detach ipvlan interface back to random host name on stop, then delete
  • lxd/db/instances: Adds ErrInstanceListStop that can be returned from InstanceList to stop search
  • shared/validate/validate: Adds IsNetworkRange and IsNetworkAddressCIDR functions
  • shared/validate/validate: Adds IsNetworkPort and IsNetworkPortRange functions
  • lxd/util/config: Adds SplitNTrimSpace function
  • lxd/util/config: Avoid unnecessary allocations in CopyConfig
  • api: Adds network_acl extension
  • shared/api/network/acl: Adds shared struct types for Network ACLs
  • shared/api/network/acl: Adds rule Normalise function
  • lxd/db/cluster: Adds networks_acls and networks_acls_config tables
  • lxd/db/network/acls: Adds GetNetworkACL function
  • lxd/db/network/acls: Adds CreateNetworkACL function
  • lxd/db/network/acls: Adds GetNetworkACLs function
  • lxd/db/network/acls: Adds UpdateNetworkACL function
  • lxd/db/network/acls: Adds RenameNetworkACL function
  • lxd/db/network/acls: Adds DeleteNetworkACL function
  • lxd/network/acl: Adds ACL package for managing Network ACLs
  • lxd: Add network-acls API hooks
  • lxd/network/acls: Implements networkACLGet function
  • lxd/network/acls: Implements networkACLsPost function
  • lxd/network/acls: Implements networkACLsGet function
  • lxd/network/acls: Implements networkACLPut function
  • lxd/network/acls: Adds PATCH support to networkACLPut
  • lxd/network/acls: Implements networkACLPost function
  • lxd/network/acls: Implements networkACLDelete function
  • client/interfaces: Adds CreateNetworkACL
  • client/interfaces: Adds GetNetworkACLs
  • client/interfaces: Adds GetNetworkACL
  • client/interfaces: Adds UpdateNetworkACL
  • client/interfaces: Adds RenameNetworkACL
  • client/interfaces: Adds DeleteNetworkACL
  • client/interfaces: Adds GetNetworkACLNames
  • client/lxd/network/acls: Implements CreateNetworkACL function
  • client/lxd/network/acls: Implements GetNetworkACLs function
  • client/lxd/network/acls: Implements GetNetworkACL function
  • client/lxd/network/acls: Implements UpdateNetworkACL function
  • client/lxc/network/acls: Implements RenameNetworkACL function
  • client/lxd/network/acls: Implements DeleteNetworkACL function
  • client/lxd/network/acls: Implements GetNetworkACLNames function
  • lxc/network: Registers acl subcommand from network command
  • lxc/network/acl: Add network acl command section
  • lxc/network/acl: Adds cmdNetworkACLCreate command
  • lxc/network/acl: Adds cmdNetworkACLList command
  • lxc/network/acl: Adds cmdNetworkACLGet and cmdNetworkACLShow commands
  • lxc/network/acl: Adds cmdNetworkACLSet command
  • lxc/network/acl: Adds cmdNetworkACLUnset command
  • lxc/network/acl: Adds cmdNetworkACLEdit command
  • lxc/network/acl: Adds cmdNetworkACLRename command
  • lxc/network/acl: Adds cmdNetworkACLDelete command
  • lxc/network/acl: Adds cmdNetworkACLRule subcommand with add/remove rule commands
  • doc/rest-api: Adds network ACL endpoint docs
  • test: Adds network ACL tests
  • doc/network-acls: Adds Network ACLs documentation
  • i18n: Update translation templates
  • lxd/network/driver/ovn: Uplink loading error improvements
  • lxd/device/nic/sriov: network.InterfaceExists usage
  • lxd/network/network/utils: InterfaceExists usage in InterfaceBindWait
  • lxd/device/nic/sriov: Use random VF MAC if VF has no automatic MAC set
  • lxd/instance/qemu: Rework lxd-agent startup
  • lxd/device/disk: Validate that the pool is not pending
  • api: migration_stateful
  • shared: Add migration.stateful
  • doc/instance: Add migration.stateful
  • lxd/instance/qemu: Add migration.stateful support
  • lxd/device: Add migration.stateful support
  • lxd/instance/qemu: Add checks for migration.stateful
  • api: disk_state_quota
  • doc/instances: Add size.state
  • lxd/storage: Add support for size.state
  • lxd/api: Port to updated SetInstanceQuota
  • lxd/device/disk: Add support for size.state
  • lxd/instance: Prevent stateful snapshots of VMs
  • lxd/instance/qemu: Add stateful stop/start
  • doc: Drop API extension columns
  • api: storage_ceph_features
  • lxd/storage: Add ceph.rbd.features
  • doc/storage: Add ceph.rbd.features
  • scripts/bash: Add ceph.rbd.features
  • doc: Fix bad Github action link
  • lxd/instance/qemu/qmp: Switch back to upstream repo
  • lxd/device/device/interface: Adds Type interface for accessing type specific functions of a device
  • lxd/device/device/common: UpdatableFields signature change
  • lxd/device/nic/bridged: UpdatableFields signature change
  • lxd/device/nic/p2p: UpdatableFields signature change
  • lxd/device/nic/routed: UpdatableFields signature change
  • lxd/device/disk: UpdatableFields signature change
  • lxd/device/device/load: Adds newByType and LoadByType functions
  • lxd/instance/drivers: UpdatableFields usage
  • lxd/device/device/utils/network: Changes veth route functions to not depend on device specific logic
  • lxd/device/nic/bridged: Switches to use NIC type agnostic route helper functions
  • lxd/device/nic/p2p: Switches to use NIC type agnostic route helper functions
  • lxd/instance/drivers/driver/common: Update comment for deviceVolatileReset to match
  • lxd/instance/drivers/driver/lxc: Removes deviceResetVolatile provided by common
  • lxd/instance/drivers/driver/qemu: Removes deviceResetVolatile provided by common
  • lxd/instance/drivers: d.deviceVolatileReset usage
  • doc/preseed: LXD is pronounced lex-dee
  • doc/api-extensions: LXD is pronounced lex-dee
  • tests: Typo fix
  • lxd/storage: LXD is pronounced lex-dee
  • lxd/firewall: LXD is pronounced lex-dee
  • lxd/network: LXD is pronounced lex-dee
  • lxd/api: LXD is pronounced lex-dee
  • lxd/device: LXD is pronounced lex-dee
  • lxd/storage/utils: Updates VolumeUsedByExclusiveRemoteInstancesWithProfiles to use db.ErrInstanceListStop
  • lxd/network/network/utils: Adds optimisation to UsedBy when firstOnly is true
  • lxd/network/network/utils: Removes whitespace trimming from SubnetParseAppend
  • lxd/api/project: Updates projectValidateRestrictedSubnets to use util.SplitNTrimSpace
  • lxd/network/driver/ovn: Switch to util.SplitNTrimSpace
  • lxd/device/nic/ovn: Updates usage of network.SubnetParseAppend to use util.SplitNTrimSpace
  • lxd/network/acl/acl/load: Adds Exists function
  • lxd/network/acl/acl/load: Adds UsedBy function
  • lxd/network/acl/driver/common: Updates usedBy to use UsedBy
  • lxd/network/driver/ovn: Adds OVNInstanceNICSetupOpts and OVNInstanceNICOpts types
  • lxd/network/driver/ovn: InstanceDevicePortAdd updated arguments
  • lxd/network/driver/ovn: InstanceDevicePortDelete updated arguments
  • lxd/network/driver/ovn: n.InstanceDevicePortAdd usage
  • lxd/device/nic/ovn: ovnNet update of arguments
  • lxd/device/nic/ovn: d.network.InstanceDevicePortAdd and d.network.InstanceDevicePortDelete usage
  • lxd/network/openvswitch/ovn: Converts LogicalSwitchPortExists to LogicalSwitchPortUUID
  • lxd/network/openvswitch/ovn: Converts string UUID variables to their own dedicated types
  • lxd/network/driver/ovn: Updates usage of OVN UUID types
  • lxd/network/driver/ovn: client.LogicalSwitchPortUUID usage
  • lxd/network/driver/ovn: Adds DNSName to OVNInstanceNICStartOpts
  • lxd/network/driver/ovn: Updates InstanceDevicePortAdd with opts.DNSName field name change
  • lxd/network/driver/ovn: Updates InstanceDevicePortAdd with opts.DNSName field name change in handleDependencyChange
  • lxd/device/nic/ovn: Updates use of d.network.InstanceDevicePortAdd with DNSName
  • utils: trim whitespace from block device UUID
  • lxd/storage/drivers/btrfs: Add up fs and block quota for VMs
  • lxd/storage/drivers/dir: Pass int64 size to setQuota
  • lxd/storage/drivers/dir: Add up fs and block quota for VMs
  • shared/validate/validate: Add IsCompressionAlgorithm
  • lxd/projects: Add backups.compression_algorithm and images.compression_algorithm
  • lxd/cluster: Update compression validation
  • lxd/images: Add checks for images.compression_algorithm
  • lxd/backup: Add checks for backups.compression_algorithm
  • doc/projects: Add backups.compression_algorithm and images.compression_algorithm
  • api: projects_compression
  • lxd/instance: Move CreateInternal
  • lxd/instance/drivers: Rename restart to restartCommon
  • lxd/instance/drivers: Move snapshot creation to the driver
  • lxd/network/network/utils: Converts UsedBy to use InstanceList function
  • lxd/network/network/utils: Changes isInUseByDevices to isInUseByDevice
  • lxd/network/network/utils: Adds usedByInstanceDevices function
  • lxd/device/nic/ovn: Removes non-ovn related limit code, use network.InterfaceExist
  • lxd/network/driver/ovn: Removes unnecessary calls to CloneNative in ovnNICExternalRoutes
  • lxd/instance/qemu: Add restoreState
  • lxd/instance/qemu: Add saveState
  • lxd/instance/qemu: Add stateful snapshot
  • lxd/db: Fix bad indent
  • lxd/db: Fix projects_used_by_ref for remote storage
  • lxd/cluster: Guarantee single hearbeat loop
  • doc/rest-api: Fix and clarify backup API
  • lxd/cluster: Improve heartbeat logging
  • lxd/api: Don’t use potentially nil struct
  • lxd/init: Better error on invalid auto-detect fan underlays
  • doc/rest-api: More fixes for backups
  • lxd: Remove ReadToJSON
  • lxd/db: Fix RenameCertificate
  • lxd/certificate: Modernize DB handling
  • lxd/certificate: Rework cache
  • lxd/projects: Add images.remote_cache_expiry
  • lxd/db/images: Changes GetExpiredImages to GetExpiredImagesInProject
  • lxd/images: Support images.remote_cache_expiry per-project
  • doc/projects: Add images.remote_cache_expiry
  • api: projects_images_remote_cache_expiry
  • doc/backup: Mention subuid/subgid
  • lxd/db/certificates: Fix bad error handling
  • api: certificate_project
  • shared/api: Add restricted and projects to certificate
  • lxd/db: Add support for restricted certificates
  • lxd/certificates: Add support for restricted and projects
  • lxd/daemon: Add TLS permission checks
  • doc/security: Cover TLS restrictions
  • lxc/config/trust: Add Edit
  • lxc/config/trust: Add Show
  • i18n: Update translation templates
  • tests: Validate TLS restrictions
  • lxd/instance/drivers/driver/lxc: Log when skipping volume delete in a recovery import scenario
  • lxd/api/internal: Don’t create .importing file when performing a backup import in internalImport
  • lxd/api/internal: internalImport usage
  • lxd/instance/instance/utils: CreateInternal usage of revert package
  • lxd/instances/post: internalImport usage
  • lxd/network/network/utils: Reorder UsedBy logic to do cheapest searches first
  • lxd/db/network/acls: Makes slice allocation more efficient in GetNetworkACLs
  • lxd/db/network/acls: Adds GetNetworkACLIDsByNames function
  • lxd/network/openvswitch/ovn: Adds PortGroupUUID function
  • lxd/network/openvswitch/ovn: Adds PortGroupAdd function
  • lxd/network/openvswitch/ovn: Adds PortGroupMemberAdd function
  • lxd/network/openvswitch/ovn: Adds OVNACLRule struct type
  • lxd/network/openvswitch/ovn: Adds PortGroupSetACLRules function
  • lxd/network/openvswitch/ovn: Adds PortGroupDelete function
  • lxd/network/openvswitch/ovn: Adds LogicalSwitchSetACLRules function
  • lxd/network/openvswitch/ovn: Adds PortGroupMemberDelete function
  • lxd/network/acl/acl/ovn: Adds OVN ACL helper functions
  • lxd/network/acl: Adds support for using state when creating ACL record
  • lxd/network/acl/acl/load: Updates UsedBy to allow searching for multiple ACLs in one pass
  • lxd/network/acl/driver/common: Updates usedBy to use updated UsedBy helper function
  • lxd/network/acl/driver/common: Makes Update apply new ACL rules to OVN port groups and instance ports
  • lxd/network/driver/ovn: Applies baseline network ACL rules in setup via acl.OVNApplyNetworkBaselineRules
  • lxd/network/driver/ovn: Adds SecurityACLs and SecurityACLsRemove to OVNInstanceNICStartOpts
  • lxd/network/driver/ovn: Adds Security ACL support to InstanceDevicePortAdd
  • lxd/network/driver/ovn: Adds PortGroupDeleteIfUnused to remove unused ACL port groups
  • lxc/network/driver/ovn: Adds support for security.acls assigned to OVN networks
  • lxd/device/nic: Adds security.acls optional field
  • lxd/device/nic/ovn: Adds security.acls support for OVN NICs
  • doc/metadata: Adds Network ACL left menu item section
  • api: Adds network_ovn_acl extension
  • doc: Adds security.acls property to OVN networks and NICs
  • tests: Reword deadcode
  • lxd/db: Remove unused code
  • shared/log15: Remove dead code
  • lxd/network/acl: Remove unused code
  • lxd/storage/drivers/driver/btrfs: Unset pool size setting during creation if not relevant
  • lxd/storage/drivers/driver/btrfs: Consisent error quoting in Create
  • lxd/storage/pools/config: Consistent error quoting in storagePoolValidateConfig
  • driver_lxc: pass flags to shiftfs mount
  • lxd/network/driver/bridge: Ensure that DHCP firewall rules are added in fan mode
  • lxd/network/driver/ovn: Don’t delete port groups if their associated ACLs are referenced by rules in other ACLs
  • lxd/network/acl/acl/ovn: Adds OVNEnsureACLs function and unexports ovnApplyToPortGroup
  • lxd/network/acl/driver/common: Switch Update to use OVNEnsureACLs
  • lxd/network/driver/ovn: Switch setup to use OVNEnsureACLs
  • lxd/network/driver/ovn: Switch InstanceDevicePortAdd to use OVNEnsureACLs
  • Makefile: Add update-api
  • shared/api: Label Server structs
  • lxd: Setup API metadata
  • lxd: Add / and /1.0 to swagger
  • tests: Update deadcode for swagger
  • doc: Include initial YAML version of rest-api
  • lxd/certificates: Add to swagger
  • shared/api: Label Certificate structs
  • doc/rest-api/swagger: Update for certificates
  • lxd/storage/drivers/utils: Comment clarify in BlockDiskSizeBytes
  • lxd/network/openvswitch/ovn: Renames PortGroupUUID to PortGroupInfo
  • lxd/network/acl/acl/ovn: client.PortGroupInfo usage
  • lxd/network/driver/ovn: client.PortGroupInfo usage
  • lxd/network/acl/acl/ovn: Refactors OVNEnsureACLs to be smarter in how it sets up referenced ACLs
  • lxd/network/driver/ovn: Don’t check if port group exists when removing port member in InstanceDevicePortAdd
  • lxd/resources/storage: Rework block size handling
  • Updated instanceLogDelete function
  • lxd/device/disk: Tweak mkisofs flags
  • lxd/init: Add projects to dump/init preseed
  • lxd/network/driver/ovn: Consistently use aclNameIDs var name
  • lxd/instance/post: Update instancePostClusteringMigrate to respect instance’s project
  • lxd/instance/backup: Makes returned containers resource conditional on instance type
  • lxd/instance/console: Conditional containers resources
  • lxd/instance/delete: Updates instanceDelete to use inst var and makes returned containers resources conditional on instance type
  • lxd/instance/exec: Makes containers resources conditional on instance type
  • lxd/instance/post: Renames c to inst and makes containers resources conditional on instance type
  • lxd/instance/put: Renames c to inst and makes containers resources conditional on instance type
  • lxd/instance/snapshot: Renames sc to snapInst and makes containers resources conditional on instance type
  • lxd/instances/post: Makes containers resources conditional on instance type
  • lxd/device/nic/ovn: Clearer error message in validateConfig
  • lxd/network/openvswitch: Centralises DB OVN connection string retrieval in NewOVN
  • lxd/network/driver/ovn: openvswitch.NewOVN usage
  • lxd/network/acl/driver/common: openvswitch.NewOVN usage
  • lxd/network/acl/acl/ovn: Adds OVNPortGroupDeleteIfUnused
  • lxd/network/driver/ovn: Removes PortGroupDeleteIfUnused and acl.OVNPortGroupDeleteIfUnused usage
  • lxd/device/nic/ovn: acl.OVNPortGroupDeleteIfUnused usage
  • lxd/network/acl/driver/common: Calls OVNPortGroupDeleteIfUnused during Update
  • lxd/network/acl/acl/load: Only return unique list of ACLs when matching on ACL rulesets in UsedBy
  • lxd/network/acl/acl/ovn: Create referenced ACL port groups when reapplying rules from an existing ACL
  • doc/rest-api: Updates backup endpoint docs
  • lxd/cluster: Don’t warn about pending nodes
  • lxd/instances: Fix instance copy within project
  • netutils: improve file descriptor retrieval and increase robustness
  • lxd/cluster: Remove AutoUpdateInterval and RemoteCacheExpiry
  • lxd/daemon: Add daemon startTime variable, remove taskAutoUpdate
  • lxd/instances/post: Support images.auto_update_cached per-project
  • lxd/api: Remove taskAutoUpdate reset
  • lxd/projects: Add images.auto_update_cached and images.auto_update_interval
  • lxd/images: Support images.auto_update_interval per-project
  • api: projects_images_auto_update
  • doc/projects: Add images.auto_update_cached and images.auto_update_interval
  • Update for Go 1.17 go:build tags
  • lxd/api: Add project and target arguments to doc
  • shared/api: Add comments to certificate fields
  • shared/api: Add comments to server fields
  • lxd/resources: Add swagger documentation
  • shared/api: Label Resources structs
  • doc/rest-api: Refresh swagger YAML
  • doc/projects: Projects aren’t restricted by default
  • lxc/config/trust: Allow restricting on add
  • i18n: Update translation templates
  • lxd/storage/drivers/util: Updates ensureVolumeBlockFile to add unsupportedResizeTypes argument
  • lxd/storage/drivers/driver/btrfs/volumes: Updates CreateVolume with ensureVolumeBlockFile comments
  • lxd/storage/drivers/driver/btrfs/volumes: Updates SetVolumeQuota to pass VolumeTypeImage to ensureVolumeBlockFile
  • lxd/storage/drivers/driver/dir/volumes: Comment improvement in CreateVolume
  • lxd: improve unix fd retrieval infrastructure
  • lxd/db: Don’t fail preparing statements for activateifneeded
  • unixfd: vet all parameters
  • lxd/internal: Don’t access undefined fields
  • tests: Fix project limits on arm64
  • doc/README: Drop readthedocs
  • lxd/network/acl/acl/load: Adds NetworkUsage function
  • lxd/network/acl/driver/common: Adds ruleSubjectInternal and ruleSubjectExternal constants
  • lxd/network/acl/driver/common: Updates validateRule to allow ruleSubjectInternal and ruleSubjectExternal values
  • lxd/network/openvswitch/ovn: Updates LogicalSwitchDelete to delete associated port groups
  • lxd/network/openvswitch/ovn: Adds setACLRules to more efficiently set multiple rules in one command
  • lxd/network/openvswitch/ovn: Updates LogicalSwitchSetACLRules to use o.setACLRules
  • lxd/network/openvswitch/ovn: Updates PortGroupAdd to support associating to a project and optionally another port group and/or logical switch
  • lxd/network/openvswitch/ovn: Updates PortGroupDelete to support multiple specified port groups
  • lxd/network/openvswitch/ovn: Updates PortGroupSetACLRules to use o.setACLRules
  • lxd/network/openvswitch/ovn: Replaces PortGroupMemberAdd and PortGroupMemberDelete with PortGroupMemberChange
  • lxd/network/openvswitch/ovn: Adds PortGroupListByProject function
  • lxd/network/openvswitch/ovn: Use constants for OVN external IDs
  • lxd/network/acl/acl/ovn: Adds ovnACLPortGroupPrefix constant
  • lxd/network/acl/acl/ovn: Adds helper functions for entity name generation
  • lxd/network/acl/acl/ovn: Updates ovnAddReferencedACLs to ignore ruleSubjectInternal and ruleSubjectExternal values
  • lxd/network/acl/acl/ovn: Updates ovnApplyToPortGroup and associated functions to support network specific port group ACL rules
  • lxd/network/acl/acl/ovn: Removes trailing space in generated rule in OVNApplyNetworkBaselineRules
  • lxd/network/acl/acl/ovn: Comment improvements
  • lxd/network/acl/acl/ovn: Updates OVNEnsureACLs to support applying network specific port group rules
  • lxd/network/acl/acl/ovn: Adds OVNPortGroupInstanceNICSchedule helper function
  • lxd/network/acl/acl/ovn: Updates OVNPortGroupDeleteIfUnused to delete unused per-ACL-per-network port groups
  • lxd/network/acl/driver/common: Updates to use NetworkUsage and pass list of networks using ACL to OVNEnsureACLs
  • lxd/network/driver/ovn: Updates OVN driver to use helper functions from ACL package rather than duplicate logic
  • lxd/network/driver/ovn: Create internal port group for instance NICs on setup
  • lxd/network/driver/ovn: acl.OVNEnsureACLs and client.PortGroupMemberChange usage
  • lxd/network/driver/ovn: client.PortGroupAdd usage in setup
  • lxd/network/acl/driver/common: Adds support for default.logged and default.action ACL config properties
  • doc/network/acls: Documents default.logged and default.action ACL config properties
  • lxd/network/acl/acl/ovn: Adds support for default.logged and default.action
  • lxd/network/acl/driver/common: Adds reject support
  • lxd/network/acl/acl/ovn: Allow IPv4 IGMP and IPv6 MLD reports in network baseline rules
  • lxd/network/acl/acl/ovn: Add network baseline rules to allow reject packets from ACL reject rules
  • lxc/remote: Update working to line up with project
  • i18n: Update translation template
  • lxd/profiles: Add to swagger
  • shared/api: Label Profiles structs
  • lxd/projects: Add to swagger
  • shared/api: Label Projects structs
  • lxd/events: Add to swagger
  • shared/api: Label Events structs
  • lxd/networks: Add to swagger
  • shared/api: Label Networks structs
  • shared/api: Hide API extensions from swagger
  • doc/rest-api: Refresh swagger YAML
  • lxd/device/gpu: Optimize setupSriovParent
  • lxd/device: Save parent PCI address for GPU SR-IOV
  • lxd/network/network/utils/sriov: Refactors SRIOVFindFreeVirtualFunction and sriovGetFreeVFInterface
  • lxd/network/network/utils/sriov: Modifies sriovGetFreeVFInterface to check a VF is down and has no IPs before considering it available
  • shared/validate/validate: Adds IsInterfaceName function
  • lxd/network/network/utils: Removes validInterfaceName function
  • lxd/network/driver: validate.IsInterfaceName usage
  • lxd/device/nic: Validate that NIC name property is valid interface name
  • lxd/device/nic: Adds nicCheckNamesUnique function
  • lxd/device/nic: Updates nicValidationRules to accept a instance.ConfigReader argument and use nicCheckNamesUnique
  • lxd/device: nicValidationRules usage
  • lxd/device: Return -1 if all VFs are in use
  • lxd/device: Support multiple GPUs for SR-IOV
  • shared/api/cluster: Architecture is a read-only field
  • lxd/network_acls: Add to swagger
  • shared/api: Label Network ACLs structs
  • lxd/cluster: Add to swagger
  • shared/api: Label Cluster structs
  • doc/rest-api: Refresh swagger YAML
  • lxd/network/network/utils/sriov: Don’t fail when missing vfListPath in sriovGetFreeVFInterface
  • shared/util: Add GetStableRandomInt64FromList
  • lxd/db/images: Add AutoUpdate filter
  • lxd/vsock: Better handle errors
  • lxd/db/images: Add helper functions
  • docs: typo on JSON schema
  • lxd/vsock: Retry timeouts once
  • lxd/db: Set nodes.id to auto-increment
  • lxd/images: Fix auto image updates
  • lxd: Add internal endpoints for updates
  • test/suites: Test image refresh in cluster
  • i18n: Update translations from weblate
  • lxd/images: Properly spread replicated images
  • lxd/project: Add CheckClusterTargetRestriocion
  • lxd/projects: Add restricted.cluster.target
  • lxd: Support for restricted.cluster.target
  • api: projects_restricted_cluster_target
  • doc/projects: Add restricted.cluster.target

Try it for yourself

This new LXD release is already available for you to try on our demo service.

Downloads

The release tarballs can be found on our download page.

Binary builds are also available for:

  • Linux: snap install lxd
  • MacOS: brew install lxc
  • Windows: choco install lxc
4 Likes

I’ll be going through the new features in this release live on Youtube tomorrow at 1:30pm eastern time.
https://www.youtube.com/watch?v=JGHqv16NNyM

LXD 4.12 is now available in the latest/candidate channel for snap users with promotion to stable expected on Monday or Tuesday.

Submitted to openSUSE. Sadly https://github.com/lxc/lxd/issues/8416 is still causing issues on Tumbleweed but VMs should now work on Leap. I’ll try to cook up an LXD patch once I get back from vacation.

1 Like

Quick questions regarding what you said in the video:

  1. What are the advantages of cgroup2 and what will be added features or benefits? I would love it if two containers could have the exact same resource alotment, so two containers could only use the same two CPUs and both of them a total of 2GiB of RAM and so on without anything having to be specified for either one but for a group (projects don’t work like that now I think). Should I post this as a feature request (if I didn’t do it already)?
  2. Will live migration allow me to have complete uptime by live migrating a container to another server, switching DNS over to the other servers containers IP, doing a restart on the original one and then moving it back (or simply moving the DNS back in case of a site that doesn’t collect data in the time of all of that)?

Thanks!! :slight_smile:

Hi…
With this release when I try to do lxc exec <container name> /bin/bash i get

Error: Get "http://unix.socket/1.0": dial unix /var/lib/lxd/unix.socket: connect: connection refused

How do I fix this?

The socket is definitely there:

srw-rw----    1 root     root             0 Mar 17 10:36 /var/lib/lxd/unix.socket

This is new to 4.12. Using Alpine Linux 3.13.2.

Who are you running this command as? And do you see the LXD daemon running in ps fauxww?

root, # and also sudo, which worked in 4.11.

nevermind… seems it crashed… Thought it seems to be working now.