Weekly Update Templates (2).png960×540 47.6 KB

Introduction

This past week the mount syscall interception has been implemented in LXD’s seccomp feature, and some of the work for restructuring LXD’s storage engine to accommodate virtual machine support has landed. As part of this focus, several storage and migration related bugs have been fixed.

In LXC a security improvement in the apparmor rules was added to prevent writes to /proc/acpi/** and a memory leak in the terminal state was fixed.

On the Distrobuilder side, we’ve released version 1.0 and added support for building Oracle 8 images.

This week @stgraber and @brauner are at the Open Source Summit in Lyon, details of their presentations are below.

Contribute to LXD

Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: https://github.com/lxc/lxd/labels/Easy

You can also find a slightly longer, more detailed list here: LXD Contribution

FOSDEM 2020 - containers devroom

We will once again be running the containers devroom at the upcoming FOSDEM conference in Brussels, Belgium. This year it’s going to be over the weekend of the 1st and 2nd of February.

The detailed call for papers can be found here: FOSDEM 2020 containers devroom: Call for papers

Upcoming events

• Open Source Summit - Europe - Lyon
  • Dates: October 28-30
  • Attendees: @brauner @stgraber
  • Talks:
    • Getting started with LXD and system containers
    • New container kernel features
• Linux Security Summit - Europe - Lyon
  • Dates: October 31 - November 1
  • Attendees: @brauner @stgraber
  • Talks:
    • Using Linux primitives to build your own containers
• FOSDEM
  • Dates: February 1-2
  • Attendees: @brauner @stgraber

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

• Virtual machine support
• Rework of internal LXD storage handling
• Distrobuilder 1.0 release
• Various kernel work
• Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

• seccomp: implement mount syscall interception
• DB StoragePoolVolumeSnapshotsGetType returns more snapshot info
• Adds migration volume source/target types and moves migration progress functions
• Storage Utils moved to storage package
• cgo: more hardening
• DB Snapshots fixes tests to expect oldest first
• Storage Driver Utils
• seccomp: protect against syscall supervision override
• Client migration existing volume check bug
• lxc/storage/volume: Adds volume snapshot rename check for same parent…
• lxd/storage/quota: Fix bad typing
• lxd/storage/utils: Dir validation tweaks for size property
• tree-wide: cgo: add -Wunused and __ro_after_init macro
• lxc/config: Fix examples for config/profile
• client: Ignore unresolvable addresses
• lxd/include: Fix definition of SECCOMP_USER_NOTIF_FLAG_CONTINUE
• lxd/networks: Nicer error on misisng IPv6
• global: Drop -Wcast-align (breaks armhf)

LXC

• syscall_wrappers: rename internal memfd_create to memfd_create_lxc
• apparmor: Prevent writes to /proc/acpi/**
• terminal: prevent memory leak for lxc_terminal_state

LXCFS

• Nothing to report this week

Distrobuilder

• Advertise the snap package in the README
• sources/oracle: Add support for Oracle Linux 8
• sources/oracle: Fix Oracle Linux 8
• Add repo handler for dnf and yum

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week

Snap

• Cherry-picked some upstream fixes