Weekly Update Templates.png960×540 47.9 KB

Weekly status for the weeks of the 8th to the 14th of July.

Introduction

This past week has been all about finishing off features for the LXD 3.15 release and preparing for the imminent LXC 3.2 and LXCFS 3.1 releases.

On the LXD side, the bulk of the work has been on continuing improving the seccomp filtering feature and re-working cluster heartbeat notifications to be more efficient. There has also been work done on the dqlite side to make database updates more efficient so as not to increase container start up time.

There is a new feature in LXD that now allows you to specify the UID and GID of a process to be run when using lxc exec.

For more information on all of this, please see the LXD 3.15 release announcement.

On the LXC side, there have been changes related to the seccomp filtering feature, and a new networking veth router mode has been added.

The veth router mode adds a new mode setting to veth network config which allows the host to act as a router for the container’s IP addresses. This allows hosts that are running routing protocols (such as BGP) to detect static routes to container IPs and advertise them to the wider network.

When combined with the l2proxy feature it also allows containers to have static IP addresses on the host’s external network without having to configure bridges or running routing daemons, and unlike IPVLAN, allows host to container communication and full netfilter functionality. It also prevents containers from spoofing IP addresses they have not been assigned.

An example network config for this:

lxc.net.0.type = veth
lxc.net.0.link = eth0
lxc.net.0.flags = up
lxc.net.0.veth.mode = router
lxc.net.0.ipv4.address = 192.168.3.3/32
lxc.net.0.ipv6.address = 2a02:xxx:xxx:3::3/128
lxc.net.0.ipv4.gateway = auto
lxc.net.0.ipv6.gateway = auto
lxc.net.0.l2proxy = 1
lxc.net.0.link = eth0

On the distrobuilder side, work has been continuing on adding Ubuntu Core support and adding cloud-init functionality to all distro images that can support it to make configuring settings inside containers easier. At this point, all existing images have transitioned to distrobuilder and our legacy build code has now been removed.

Upcoming events

• Linux Security Summit - San Diego
  • Dates: August 19-21
  • Attendees: @brauner, @hallyn, @stgraber and @tych0
  • Talks:
    • Making Containers Safer
• Open Source Summit - San Diego
  • Dates: August 21-23
  • Attendees: @brauner, @hallyn, @stgraber and @tych0
  • Talks:
    • Getting started with LXD and system containers (workshop)
    • New container kernel features
• Linux Plumbers Conference - Lisbon
  • Dates: August 21-23
  • Attendees: @brauner and @stgraber
  • Talks:
    • Containers micro-conference
    • Writing a Kernel Driver in Rust
• Kernel Recipes - Paris
  • Dates: September 25-27, 2019
  • Attendees: @brauner
  • Talks:
    • pidfds: Process file descriptors on Linux

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

• Rework of internal LXD device handling
• Rework of internal LXD storage handling
• Ubuntu Core 18 support in distrobuilder
• Cloud-init for all distrobuilder images
• Various kernel work
• Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

• Use cluster heartbeats to notify of needed LXD update
• Speed up container start a bit
• seccomp: handle new liblxc seccomp notify updates
• lxd/containers: Combine state updates
• doc update
• seccomp: cause a default message to be sent
• lxd/instances: Improve errors
• Allow specifying user, group and cwd during exec
• seccomp: handle compat arch syscalls
• shared/netutils: Fixes bug with getting container PID
• seccomp: fix error reporting
• lxd/storage/cephfs: Handle multiple mons
• seccomp: simplify and make more secure
• lxd/proxy: Fix error handling for unix
• various: Removes use of golang.org/x/net/context in place of stdlib
• seccomp: more security enhancements
• Better handle stdout/stderr during RunCommand
• doc: fix path to host’s communication socket
• container/lxc: fixes return value of detachInterfaceRename
• lxd/storage: Allow size limits on dir volumes
• seccomp: cleanup + simplify
• Makefile: include libraft and libco
• bugfix, cleanup, and simplify
• iptables: Moves iptables helper functions into own package
• seccomp: abstract syscall handling
• lxd/project: Adds project package and updates references to it
• dnsmasq package
• tests: Fix CEPH pool names
• tests: Avoid ceph pool conflict

LXC

• Adds veth router mode
• Seccomp notify api update
• seccomp: coding style
• cgroup: check for non-empty conf
• doc: Add lxc.comp.notify.cookie to Japanese lxc.container.conf(5)
• Typo fix
• Suppress hardcoded table sizes

LXCFS

• Nothing to report this week

Distrobuilder

• ubuntu-core: Only symlink existing seeded snaps
• shared: Support armored GPG keys
• ubuntu-core: Remove dead code
• Add cloud-init generator

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week

Snap

• Update to LXD 3.15
• Update for dqlite 1.0