LXD 4.5 has been released

Introduction

The LXD team is very excited to announce the release of LXD 4.5!

This is another pretty busy release for LXD with the main highlight no doubt being the addition of OVN to our networking options.

On top of that, we have some welcome improvements to our container support with both the bpf syscall interception and the new allocation logic for pts devices.

And lastly, good improvements to clustering and to security with the improved remote storage work and the new AppArmor profiles.

Enjoy!

New features and highlights

Initial support for OVN virtual networks

LXD 4.5 includes the support for OVN virtual networks.

Those can be defined as a regular LXD managed network, very similar to a traditional bridge, except that those can cross cluster nodes and can have overlapping/conflicting subnets.

This is done through OVN and will be the basis for networks inside of LXD projects in the next LXD release. OVN networks in LXD must have a parent managed network, currently only managed bridges are supported (SR-IOV and macvlan coming in 4.6).

For now, provided you have OVN and OpenVswitch setup on your host, you can have LXD create virtual networks and attach instances to them in much the same way you would a normal bridge.

(Example done on Ubuntu 20.04 LTS with the 4.5 snap)

root@nuc01:~# apt install ovn-host ovn-central --yes
[snip]

root@nuc01:~# snap install lxd --channel=latest/candidate
lxd (candidate) 4.5 from Canonical✓ installed
root@nuc01:~# ovs-vsctl set open_vswitch . \
>   external_ids:ovn-remote=unix:/var/run/ovn/ovnsb_db.sock \
>   external_ids:ovn-encap-type=geneve \
>   external_ids:ovn-encap-ip=172.17.16.139
root@nuc01:~# lxd init --auto
root@nuc01:~# lxc network list
+--------+----------+---------+----------------+---------------------------+-------------+---------+
|  NAME  |   TYPE   | MANAGED |      IPV4      |           IPV6            | DESCRIPTION | USED BY |
+--------+----------+---------+----------------+---------------------------+-------------+---------+
| br0    | bridge   | NO      |                |                           |             | 0       |
+--------+----------+---------+----------------+---------------------------+-------------+---------+
| br-int | bridge   | NO      |                |                           |             | 0       |
+--------+----------+---------+----------------+---------------------------+-------------+---------+
| eno1   | physical | NO      |                |                           |             | 0       |
+--------+----------+---------+----------------+---------------------------+-------------+---------+
| lxdbr0 | bridge   | YES     | 10.19.114.1/24 | fd42:56de:74c7:40f5::1/64 |             | 1       |
+--------+----------+---------+----------------+---------------------------+-------------+---------+
root@nuc01:~# lxc network set lxdbr0 ipv4.dhcp.ranges=10.19.114.2-10.19.114.199
root@nuc01:~# lxc network set lxdbr0 ipv4.ovn.ranges=10.19.114.200-10.19.114.254
root@nuc01:~# lxc network set lxdbr0 ipv6.ovn.ranges=fd42:56de:74c7:40f5::200-fd42:56de:74c7:40f5::254
root@nuc01:~# lxc network create my-virtual-01 network=lxdbr0 --type=ovn
Network my-virtual-01 created
root@nuc01:~# lxc network create my-virtual-02 network=lxdbr0 --type=ovn
Network my-virtual-02 created
root@nuc01:~# lxc network list
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
|     NAME      |   TYPE   | MANAGED |      IPV4       |           IPV6            | DESCRIPTION | USED BY |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| br0           | bridge   | NO      |                 |                           |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| br-int        | bridge   | NO      |                 |                           |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| eno1          | physical | NO      |                 |                           |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| lxdbr0        | bridge   | YES     | 10.19.114.1/24  | fd42:56de:74c7:40f5::1/64 |             | 1       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| lxdovn1       | bridge   | NO      |                 |                           |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| my-virtual-01 | ovn      | YES     | 10.178.251.1/24 | fd42:39c7:797c:7977::1/64 |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| my-virtual-02 | ovn      | YES     | 10.82.211.1/24  | fd42:5045:b316:b251::1/64 |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
root@nuc01:~# lxc network create my-virtual-03 network=lxdbr0 ipv4.address=10.82.211.1/24 ipv6.address=fd42:5045:b316:b251::1/64 --type=ovn
Network my-virtual-03 created
root@nuc01:~# lxc network list
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
|     NAME      |   TYPE   | MANAGED |      IPV4       |           IPV6            | DESCRIPTION | USED BY |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| br0           | bridge   | NO      |                 |                           |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| br-int        | bridge   | NO      |                 |                           |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| eno1          | physical | NO      |                 |                           |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| lxdbr0        | bridge   | YES     | 10.19.114.1/24  | fd42:56de:74c7:40f5::1/64 |             | 1       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| lxdovn1       | bridge   | NO      |                 |                           |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| my-virtual-01 | ovn      | YES     | 10.178.251.1/24 | fd42:39c7:797c:7977::1/64 |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| my-virtual-02 | ovn      | YES     | 10.82.211.1/24  | fd42:5045:b316:b251::1/64 |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+
| my-virtual-03 | ovn      | YES     | 10.82.211.1/24  | fd42:5045:b316:b251::1/64 |             | 0       |
+---------------+----------+---------+-----------------+---------------------------+-------------+---------+

With this setup, we now have 3 OVN networks, 2 of which are purposefuly sharing the exact same IPv4/IPv6 subnets so we can show the isolation.

root@nuc01:~# lxc init images:ubuntu/20.04 u1
Creating u1
root@nuc01:~# lxc init images:ubuntu/20.04 u2
Creating u2
root@nuc01:~# lxc init images:ubuntu/20.04 u3
Creating u3
root@nuc01:~# lxc config device add u1 eth0 nic name=eth0 network=my-virtual-01
Device eth0 added to u1
root@nuc01:~# lxc config device add u2 eth0 nic name=eth0 network=my-virtual-02
Device eth0 added to u2
root@nuc01:~# lxc config device add u3 eth0 nic name=eth0 network=my-virtual-03
Device eth0 added to u3
root@nuc01:~# lxc start u1 u2 u3
root@nuc01:~# lxc list         
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| NAME |  STATE  |        IPV4         |                     IPV6                      |   TYPE    | SNAPSHOTS |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| u1   | RUNNING | 10.178.251.2 (eth0) | fd42:39c7:797c:7977:216:3eff:fe3a:6498 (eth0) | CONTAINER | 0         |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| u2   | RUNNING | 10.82.211.2 (eth0)  | fd42:5045:b316:b251:216:3eff:fe7d:7826 (eth0) | CONTAINER | 0         |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| u3   | RUNNING | 10.82.211.2 (eth0)  | fd42:5045:b316:b251:216:3eff:fe9d:52af (eth0) | CONTAINER | 0         |
+------+---------+---------------------+-----------------------------------------------+-----------+-----------+

Initial bpf syscall interception

It is now possible to enable system call interception for the bpf syscall.
This is controlled through security.syscalls.intercept.bpf on containers.

Once that’s enabled, a particular type of bpf program must be enabled.
Currently we only support security.syscalls.intercept.bpf.devices which allows for bpf programs tied to device cgroups to be loaded from within the container.

WARNING: The only validation done on the actual program is a simple size check to avoid obvious DoS of the host. A container with that option enabled will be able to load pretty complex bpf programs which may pull information that’s outside of the container’s scope. This should not be allowed on untrusted containers.

Support for native terminal device allocation

Up until now, device allocation for operations such as lxc exec was done through the host system’s devpts. This was done as a security measure to avoid touching the container’s filesystem and possibly having the user mask /dev/pts in the container with something malicious. This approach however has issues as the controlling device as seen inside the container cannot be resolved (as it belongs to the outside).

Kernel and LXC work now allows for safely keeping track of the devpts instance that we first mount on container startup and be able to allocate devices from it without ever interacting with the current mount table in the container.

The visible effect of all this will range from AppArmor policies getting less confused when redirecting something on stdin/stdout/stderr and a variety of other software doing is-a-tty type checks now behaving in a much more usual way.

VGA console now working on Windows

Windows users can now install virt-viewer through Chocolatey or the manual installer, once done, LXD will automatically detect it and use it when running lxc console --type=VGA on a virtual machine.

Improved handling of remote storage pools

Until now, the way custom volumes in remote storage pools was handled was by having one record for every cluster member, leading to a lot of duplicated data, especially when factoring in snapshots.

On the subject of snapshots, because of that volume duplication, automated snapshots were happening on every single cluster member, leading to a lot more snapshots than intended and more load overall.

This is all resolved now with a new database design where a single volume entry is kept and is marked as being clustered. So it no longer is tied to any one cluster member and scheduled snapshots are now distributed across the cluster using a stable hash mechanism to determine what currently online cluster member will handle them.

forkdns and forkproxy now running under AppArmor confinement

Following on the dnsmasq confinement in LXD 4.4, LXD 4.5 now also confines forkdns. That’s the process used when running a Fan based network on a LXD cluster. As the name implies, it handles DNS by effectively replicating the queries against all cluster members. This confinement will prevent any potential attack against it from accessing critical data.

Similarly, forkproxy which is used for every non-NAT proxy device also got its own AppArmor profile, this will restrict it to just the sockets it’s supposed to access and the bits of kernel infrastructure needed for the proxying to happen.

lxc move now let’s you select a cluster target too

When moving an instance from outside of a cluster into a cluster, it is now possible to pass --target to specify what cluster member should be hosting the instance.

Complete changelog

Here is a complete list of all changes in this release:

Full commit list
  • lxc/move: Allow --target with cluster destination
  • i18n: Update translation templates
  • lxd/networks: Validate network config before starting networks on startup
  • lxd/network/driver/common: Call init() in update() to consistency apply new internal state
  • lxd/device/device/utils/network: Removes networkDHCPValidIP
  • lxd/dnsmasq/dhcpalloc: Adds static DHCP allocation package for dnsmasq
  • lxd/dnsmasq: Renames DHCPStaticIPs to DHCPStaticAllocation
  • lxd/dnsmasq: Renames DHCPAllocatedIPs to DHCPAllAllocations
  • lxd/network/network/utils: Removes GetIP
  • lxd/network/network/utils: dhcpalloc.GetIP usage
  • lxd/network/network/utils: dnsmasq.DHCPStaticAllocation usage
  • lxd/network/network/interface: Changes of functions to accomodate dhcpalloc package
  • lxd/network/driver/common: Implements default no-op function for non-dhcp enabled networks
  • lxd/network/driver/common: dhcpalloc.DHCPRange usage
  • lxd/network/driver/bridge: dhcpalloc package function usage
  • lxd/network/driver/bridge: DHCPv4Subnet and DHCPv6Subnet implementations
  • lxd/device/nic/bridged: Comment correction
  • lxd/device/nic/bridged: n.DHCPv4Subnet and n.DHCPv6Subnet usage
  • lxd/device/nic/bridged: dnsmasq.DHCPStaticAllocation usage
  • lxd/device/nic/bridged: dhcpalloc.DHCPValidIP usage
  • lxd/device/nic/bridged: Switches static DHCP allocation for IP filtering to dnsmasq/dhcpalloc
  • lxd/main_activateifneeded: Clarify ‘No DB’ debug statements
  • lxd/cluster: Fix failure domain updates
  • tests: Fix failure domain test
  • doc: s/container/instance/g
  • doc/backup: Add note about the snap mntns
  • lxd/apparmor: Don’t fail on missing apparmor
  • shared/validate: Makes IsUint32 non-optional
  • lxd: Wraps validate.IsUint32 in validate.Optional
  • shared/instance: Wraps validate.IsUint32 in validate.Optional
  • shared/validate: Makes IsUint8 non-optional
  • lxd/network/driver/bridge: Wraps validate.IsUint8 in validate.Optional
  • shared/validate: Makes IsPriority non-optional
  • shared/instance: Wraps validate.IsPriority in validate.Optional
  • shared/validate: Makes IsBool non-optional
  • lxd: Wraps validate.IsBool in validate.Optional
  • shared/instance: Wraps validate.IsBool in validate.Optional
  • shared/validate: Makes IsSize non-optional
  • lxd: Wraps validate.IsSize in validate.Optional
  • shared/instance: Wraps validate.IsSize in validate.Optional
  • shared/validate: Makes IsNetworkAddress non-optional
  • lxd: Wraps validate.IsNetworkAddress in validate.Optional
  • shared/validate: Makes IsNetworkV4 non-optional
  • lxd/network/driver/bridge: Wraps validate.IsNetworkV4 in shared.Optional
  • shared/validate: Makes IsNetworkAddressV4 non-optional
  • lxd/device/nic: Wraps validate.IsNetworkAddressV4 in validate.Optional
  • lxd/device/nic/ipvlan: Wraps validate.IsNetworkAddressV4 in validate.Optional
  • lxd/device/nic/ipvlan: Fixes incorrect IPv4 address check in IPv6 context
  • lxd/network/driver/bridge: Wraps validate.IsNetworkAddressV4 in validate.Optional
  • shared/validate: Makes IsNetworkAddressCIDRV4 non-optional
  • lxd: Wraps validate.IsNetworkAddressCIDRV4 in validate.Optional
  • shared/validate: Makes IsDeviceID non-optional
  • lxd/device: Wraps validate.IsDeviceID in validate.Optional
  • shared/validate: Makes IsNetworkV6 non-optional
  • shared/validate: Makes IsNetworkAddressCIDRV6 non-optional
  • lxd: Wraps validate.IsNetworkAddressCIDRV6 in validate.Optional
  • shared/validate: Makes IsNetworkAddressV6 non-optional
  • lxd: Wraps validate.IsNetworkAddressV6 in validate.Optional
  • lxd/device/nic/ipvlan: validate.IsNetworkAddressVX tweaks
  • lxd/device/nic/routed: Wraps validate.IsNetworkAddressV4List in validate.Optional
  • lxd: Wraps validate.IsNetworkV4List and validate.IsNetworkV6List in validate.Optional
  • shared/validate: Tweaks IsNetworkVLAN error message ordering
  • shared/validate: comment spacing
  • daemon: check whether shiftfs is useable
  • lxd/network/network/utils: Renames ValidNetworkName to validInterfaceName
  • lxd/network/network/utils: Adds validVirtualNetworkName
  • lxd/network/network/interfaces: Adds ValidateName
  • lxd/network/driver/bridge: Implements ValidateName
  • lxd/network/driver/macvlan: Implements ValidateName
  • lxd/network/driver/sriov: Implements ValidateName
  • lxd/network/network/load: Adds ValidateName helper function
  • lxd/main/init/interactive: Switches to network.ValidateName for bridge validation
  • lxd/networks: Switches to network.ValidateName
  • lxd/storage/utils: Simplifies error message from ValidName
  • doc/networks: Fixes typo in bridge docs
  • lxd/cluster/config: Fix import ordering of external package
  • lxd/network/openvswitch: Name functions consistently using ObjectAction format
  • lxd/network/driver/bridge: OVS function naming usage
  • lxd/network/network/utils: OVS function naming usage
  • lxd/device/nic/bridged: OVS function naming usage
  • lxd/storage/locking: Moves package to lxd/locking
  • lxd/locking: Renames variables to make them generic
  • lxd/storage/drivers/utils: Adds OperationLockName function
  • lxd/network/network/interface: Adds ID() function
  • lxd/network/driver/common: Implements ID() function
  • lxd/storage: locking.Lock usage with OperationLockName wrapper
  • lxd/resources: Fix total memory for per NUMA node
  • lxd: enable safe native container terminal allocation
  • lxd/rsync: Don’t pass --bwlimit when no limits set
  • exec: fix OpenPtyInDevpts()
  • test/suites/storage: LVM size tweaks
  • lxd/instance/drivers/driver/lxc: Adds nil check in getLxcState
  • client/operations: Fixes race conditions
  • lxd/operations: Fixes race conditions
  • client: More races fixed
  • Makefile: Adds race target for enabling race detector
  • Makefile: Correctly builds lxd-p2c and lxd-agent in debug and nocache targets
  • client/operations: Race fix
  • lxd/db: Adds mutex to fix races
  • lxd/operations: Fixes races
  • shared/validate: Adds IsURLSegmentSafe function
  • lxd/network/driver/common: Adds common ValidateName function
  • lxd/network/driver/bridge: Changes ValidateName to use common validation too
  • lxd/network/driver: Removes ValidateName from sriov and macvlan
  • lxd/network/network/load: Adds field name context to name validation errors
  • lxd/network/network/utils: Removes validVirtualNetworkName
  • lxd/networks: Returns network context on network startup failure
  • shared/validate: Adds Required() and makes Optional() accept multiple validators
  • lxd/network/driver/bridge: Don’t allow stable volatile MAC with fan network
  • lxd/network/driver/bridge: Don’t allow hwaddr to be set in fan mode
  • seccomp: update comment about blocking the new mount api
  • syscall_numbers: fix pidfd_open() definition
  • lxd_seccomp: add SECCOMP_IOCTL_NOTIF_ADDFD definitions and types
  • checkfeature: check for seccomp notify fd injection feature
  • syscall_numbers: add pidfd_getfd()
  • syscall_numbers: add bpf()
  • seccomp: report helpful errors when determining support for features
  • seccomp: handle liblxc sending the notify fd as part of the seccomp message
  • seccomp: enable bpf in unprivileged containers
  • doc: add security.syscalls.intercept.bpf and security.syscalls.intercept.bpf.prog.devices
  • api: add container_syscall_intercept_bpf_devices extension
  • lxd-client: add security.syscalls.intercept.bpf security.syscalls.intercept.bpf.devices to completion
  • production-setup: mention bpf-specific memlock settings
  • seccomp: check the return value of pwrite()
  • syscall_numbers: add close_range()
  • exec: switch to close_range() syscall
  • process_utils: remove faulty license
  • lxd/apparmor/dnsmasq: Add binary for nesting
  • lxd/storage/drivers/ceph: Fix volume deletion
  • lxd/instance/drivers/driver/qemu: Fix race in onStop getting operation
  • lxd/db: Fix premature failure when listing cluster volumes
  • lxd/db/storage_volumes: Add comments regarding behaviour
  • doc/production-setup: Fix escaping
  • doc/production-setup: Update introduction
  • lxd: Fix automatic storage volume snapshots
  • cluster: Don’t upgrade nodes without raft role concurrently
  • lxd/network/network/load: Moves fillAuto logic into per-driver fillConfig function
  • lxd/network/utils: Moves fillAuto into bridge’s fillConfig function
  • lxd/network/network/utils: Adds randomHwaddr function
  • lxd/patches: Adds patch to remove volatile.bridge.hwaddr network key
  • lxd/network/bridge/driver: Removes volatile.bridge.hwaddr and adds stable MAC generation
  • shared/usbid: Don’t auto-load
  • lxd/resources: Load USB database
  • lxd/apparmor: Move dnsmasq functions
  • lxd/apparmor: forkdns profile
  • lxd/sys: Add unpriv uid/group
  • lxd/instances: Update for OS type change
  • shared/subprocess: s/Pid/PID/
  • shared/subprocess: Add credentials
  • lxd/network: forkdns and creds drop for forkdns
  • lxd/network: Run dnsmasq as unpriv group
  • lxd/device/device/common: Adds common contextual logger
  • doc/networks: dns.search clarification
  • lxd/network/driver/bridge: Validates bridge.external_interfaces using validate.Optional() helper
  • shared/validate: Adds network IP range validators
  • lxd/network/driver/bridge: Adds DHCP IP range validation
  • shared/network/ip: Defines IPRange struct
  • lxd/dnsmasq/dhcpalloc: Removes DHCPRange and switches to shared.IPRange
  • lxd/network: Replaces dhcpalloc.DHCPRange with shared.IPRange
  • lxd/storage: Fix delete of remote pools
  • lxd/storage/ceph: Allow for small size variation
  • seccomp: cap instruction limit and log buffer to reasonable sizes
  • seccomp: initialize almost everything
  • main_checkfeature: remove logging failed shiftfs mounts
  • seccomp: log errors to convert unix connection to file
  • unixfd: improve SCM_RIGHTs file descriptor retrieval
  • seccomp: simplify the seccomp message retrieval
  • api: Adds API extension network_type_ovn
  • doc/server: Documents global OVN networking config keys
  • lxd/cluster/config: Adds OVN networking global config keys
  • lxd/network/network/utils: Updates isInUseByDevices to support ovn
  • lxd/db/networks: Adds OVN network type
  • lxd/network/network/load: Adds ovn network type to loader
  • lxd/networks: Adds ovn network type
  • lxd/device/device/load: Adds OVN nic type support
  • lxd/device/nictype: Adds ovn support
  • lxd/network/network/utils: Adds OVN instance device port helpers
  • lxd/network/openvswitch/ovs: Adds InterfaceAssociateOVNSwitchPort
  • lxd/network/openvswitch/ovs: Adds ChassisID function
  • lxd/network/openvswitch/ovs: Adds OVN bridge mapping functions
  • lxd/network/openvswitch/ovs: Adds BridgePortList function
  • lxd/network/openvswitch/ovs: Adds OVNBridgeMappingDelete function
  • lxd/network/openvswitch/ovn: Adds OVN command wrapper
  • lxd/network/network/utils: Adds parseIPRange functions
  • lxd/network/driver/bridge: Adds OVN ranges keys
  • lxd/network/driver/ovn: Adds OVN network driver
  • lxd/device/nic/ovn: Adds OVN nic type
  • doc/networks: Adds initial OVN doc
  • doc/networks: Add OVN range keys
  • doc/networks: Fix key ordering
  • bash: Update completion profile
  • lxd/apparmor: Disable cgroup2 on legacy hosts
  • lxc/manpage: Fix behavior in snap
  • shared/subprocess: Add StartWithFiles
  • lxd/forkproxy: Switch to using subprocess
  • daemon: check namespace management support through pidfds
  • nsexec: remove unused dosetns() function
  • nsexec: add new change_namespace() helper
  • forksyscall: use pidfds to attach to namespaces
  • forknet: use pidfds to attach to namespaces
  • forkmount: use pidfds to attach to namespaces
  • forkproxy: use pidfds to attach to namespaces
  • forkfile: use pidfds to attach to namespaces
  • nsexec: remove unused setnsat()
  • lxd/db/networks: Separates network type and status conversion into separate functions
  • lxd/db/networks: Adds ClusterTx.GetNonPendingNetworks function
  • lxd/db/networks: Adds ClusterTx.UpdateNetwork function
  • lxd/network/driver/ovn: Use DB transactions to safely allocate OVN external IPs on parent network
  • lxd/network/driver/ovn: Include last IP in OVN range for allocatable IPs
  • lxd/db/networks: Populates network nodes in ClusterTx.GetNonPendingNetworks
  • lxd/db/networks: Populate description col with empty string in CreatePendingNetwork
  • shared/validate: Adds IsNetworkMTU function
  • lxd/network/driver: validates mtu using IsNetworkMTU
  • lxd/device/nic: Validates mtu using IsNetworkMTU
  • lxd/network/network/utils: Removes OVN specific helper functions
  • lxd/network/network/utils/ovn: Adds OVNInstanceDeviceMTU function
  • lxd/network/openvwitch/ovn: Adds MTU support for DHCP and IPv6 RA
  • lxd/network/driver/ovn: Adds bridge.mtu config option and passes to DHCP/RA setup
  • lxd/device/nic/ovn: Use parent network’s bridge.mtu setting for setting device MTU
  • lxd/network/driver/common: Moves notifier for delete into common
  • lxd/networks: Moves cluster notification and storage clean up for networkDelete into common
  • shared/validate: Use consistent quoting for outputting input value when there is an error
  • lxc: Bundle sortorder
  • lxd/network/ovn: Use snap path
  • doc/networks: Adds link to OVN network
  • lxd/network/network/utils: Adds pingIP function
  • lxd/network/driver/ovn: Pings OVN external IPv6 router IP on bridge port start
  • lxd/network/openvswitch/dns: Adds LogicalSwitchPortSetDNS and LogicalSwitchPortDeleteDNS functions
  • lxd/network/openvswitch/ovn: Updates LogicalSwitchDelete to clear any remaining DNS records
  • lxd/network/network/utils/ovn: Updates OVNInstanceDevicePortAdd to take instanceName for DNS records
  • lxd/network/driver/ovn: Updates instance port functions to setup and remove DNS records
  • lxd/device/nic/ovn: Updates usage of network.OVNInstanceDevicePortAdd to supply instance name for DNS records
  • lxd/storage/drivers/utils: Fixes shrinkFileSystem to detect e2fsck filesystem modifications
  • lxd/db/instances: Ensure correct pool name is returned in GetInstancePool
  • shared/cert: Fix on Windows
  • lxc/console: Support remote-viewer on Windows
  • lxc/export: Use HostPathFollow
  • lxd/cluster: Re-try listening for a minute
  • lxd/init: Don’t fail on existing address
  • lxd/storage/zfs: Fix bad transfer logic on block
  • lxd/storage/zfs: Always discard mountpoint on recv
  • lxd/db/projects: go imports order
  • lxd/db/projects: Removes unnecessary whitespace
  • lxd/db/cluster: Adds patch for adding project_id to networks table
  • lxd/db/networks: Adds project support to CreatePendingNetwork
  • lxd/db/networks: Adds project support to CreateNetwork
  • lxd/networks: Pass project.Default when creating networks
  • lxd/instance/test: Updates tests to use project.Default for new networks
  • lxd/db/networks/test: Updates tests to use project.Default for new networks
  • lxd/storage/zfs: Don’t filter mountpoint on block
  • lxd/db/instances: Removes instancePoolSnapshot function
  • lxc/network: Fix usage
  • i18n: Update translation templates
  • lxd/apparmor/dnsmasq: drop dup rule, /snap/lxd/*/ includes /snap/lxd/current/
  • lxd/apparmor/forkdns: drop dup rule, /snap/lxd/*/ includes /snap/lxd/current/
  • lxd/instance: Always put snapshots on same pool as parent
  • doc/security: Adds note about non-IP ethernet frame filtering to stop VLAN QinQ bypass
  • lxd/db/cluster: Update tables to allow null value for node ID
  • shared/util: Converts DefaultPort from string to int
  • lxd/util/net: Updates CanonicalNetworkAddress to use net.JoinHostPort rather than manual fmt.Sprintf
  • lxd/util/net: Adds CanonicalNetworkAddressFromAddressAndPort function
  • lxd/device/device/utils/proxy: Use net.JoinHostPort rather than manual fmt.Sprintf
  • lxd/main/init/interactive: Error wrapping
  • lxd/main/init/interactive: Use canonical address after port has been added for comparison
  • lxd/main/init/auto: util.CanonicalNetworkAddressFromAddressAndPort usage
  • lxc/remote: shared.DefaultPort usage
  • lxd-agent/main/agent: shared.DefaultPort usage
  • lxd-p2c/utils: shared.DefaultPort usage
  • lxd/vsock: shared.DefaultPort usage
  • lxd/util/http: shared.DefaultPort usage
  • lxd/main/init: shared.DefaultPort usage
  • lxd/db: Handle null value for nodeID
  • lxd/daemon: Make db aware of remote storage drivers
  • lxd/daemon: Perform automatic snapshots on random node
  • lxd/storage: Refuse BLOCK_AND_RSYNC with running instance
  • lxd/apparmor: Simplify profile name generation
  • lxd/device: Export Name and Config
  • lxd/apparmor: Shrink instance interface
  • lxd/apparmor/forkdns: Alignment
  • lxd/apparmor/forkdns: Support LD_LIBRARY_PATH
  • lxd/api/cluster: Makes ServerAddress field required for clusterPutJoin
  • lxd/network/driver/ovn: Makes ping test in startParentPortBridge async
  • lxd/init: Updates initDataNodeApply to use revert package and to revert itself on error
  • lxd/cluster/connect: Adds UserAgentNotifier constant
  • lxd/cluster/connect: Adds UserAgentJoiner constant
  • lxd/cluster/connect: Adds ClientType type and UserAgentClientType function
  • lxd/api: Updates isClusterNotification to use cluster.UserAgentNotifier
  • lxd/api/cluster: clusterInitMember comments
  • lxd/api/cluster: initDataNodeApply usage
  • lxd/main/init: initDataNodeApply usage
  • lxd/api/cluster: Updates clusterPutJoin to use cluster.UserAgentJoiner when sending requests to local node
  • lxd/network/network/interfaces: Replaces clusterNotification bool with cluster.ClientType
  • lxd/network/driver/common: cluster.ClientType usage
  • lxd/network/driver: cluster.ClientType usage
  • lxd/network/driver/ovn: cluster.ClientType usage
  • lxd/networks: cluster.ClientType usage
  • lxd/apparmor/dnsmasq: Add /proc/self/fd
  • lxd/apparmor/forkdns: Allow reading/mapping the binary
  • lxd/apparmor: Add forkproxy
  • lxd/device/forkproxy: Add apparmor
  • lxd/instance/instance/interface: Moves Project() function into ConfigReader interface
  • lxd/instance/drivers/driver/common: Adds Project function
  • lxd/instance/drivers/driver/lxc: Updates lxc to use common fields
  • lxd/instance/drivers/driver/lxc: Removes driver specific Project function
  • lxd/instance/drivers/driver/qemu: Removes driver specific Project function
  • lxd/network/network/utils: Improves UpdateDNSMasqStatic error message
  • lxd/daemon: db.StorageRemoteDriverNames usage
  • lxd/db: StorageRemoteDriverNames usage
  • lxd/db/storage/pools: Renames GetRemoteDrivers to StorageRemoteDriverNames for clarity
  • lxd/storage/drivers/load: Cache supported drivers
  • lxd/storage/drivers/load: Remove references to “support” in AllDriverNames
  • lxd/apparmor/forkproxy: Fix running on i386
  • lxd/storage/drivers/interface: Adds isRemote function
  • lxd/storage/drivers/driver/common: Adds isRemote() function that returns false
  • lxd/storage/drivers/driver: Updates driver’s Info() function to call d.isRemote()
  • lxd/storage/drivers/ceph: Implements isRemote function for ceph and cephfs
  • lxd/storage/drivers/load: Removes SupportedDrivers caching and updates comment
  • lxd/storage/drivers/load: Simplifies RemoteDriverNames to use the isRemote function
  • lxd/daemon: storageDrivers.RemoteDriverNames usage simplifcation
  • doc/networks: Rename OVN parent to network
  • lxd/networks/ovn: Rename parent to network
  • scripts/bash: Add network config key
  • i18n: Update translations from weblate

Try it for yourself

This new LXD release is already available for you to try on our demo service.

Downloads

The release tarballs can be found on our download page.

Binary builds are also available for:

  • Linux: snap install lxd
  • MacOS: brew install lxc
  • Windows: choco install lxc
6 Likes

Submitted to openSUSE. :smile_cat:

2 Likes

Can’t wait! Thank you :slight_smile:

For those wondering why the snap hasn’t hit yet.
We hit a small regression in the initial push to candidate and I’ve then been on vacation for a week.
I expect to do another candidate update tomorrow followed with rollout to stable.

It appears that the new forkproxy does not let to pass the host’s X11 Unix socket to the container.
Specifically,

  1. Using the profile at https://blog.simos.info/running-x11-software-in-lxd-containers/ (sharing the abstract Unix socket of the X11 socket of the host, to the container).
  2. When starting the container, the error is Error: Error occurred when starting proxy device: Error: Failed to listen on @/tmp/.X11-unix/X0: listen unix @/tmp/.X11-unix/X0: bind: permission denied
1 Like

Can you share any DENIED entry in dmesg when this happens?

These are the DENIED entries,

[ 5065.842111] audit: type=1400 audit(1600452556.299:830): apparmor="DENIED" operation="bind" profile="lxd-X0_sweethome3d_</var/snap/lxd/common/lxd>" pid=8256 comm="lxd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/tmp/.X11-unix/X0"
[ 5066.342472] audit: type=1400 audit(1600452556.799:831): apparmor="DENIED" operation="bind" profile="lxd-X0_sweethome3d_</var/snap/lxd/common/lxd>" pid=8256 comm="lxd" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/tmp/.X11-unix/X0"

https://github.com/lxc/lxd/pull/7893 should take care of it

1 Like

The fix has been cherry-picked into the snap, however as LXD 4.6 has been released and is currently in candidate with a tentative rollout to stable for Monday, your only option to get a quick fix is to switch over to that channel and the 4.6 LXD.

snap refresh lxd --candidate in a couple of hours from now should get you LXD 4.6 as well as this fix.

I have updated the top of the post with these instructions, https://blog.simos.info/running-x11-software-in-lxd-containers/
That is, switch for now to the latest/candidate channel and switch back next week when LXD 4.6 makes it to a stable channel.