Weekly Update Templates (2)960×540 47.9 KB

Introduction

In the past week LXD has gained two new features related to Projects.

Firstly, we have added Project restrictions, these allow the administrator to restrict what features can be added to containers created inside a project. For more information see the restricted.* keys in the Project documentation.

Secondly, we have added support for Custom volumes in Projects. Previously any custom volumes created were stored in the default project, even if you were working in a non-default project. Equally, any custom volumes created whilst in the default project were accessible by instances in non-default projects. Now new projects created will have the features.storage.volumes setting enabled by default, meaning that any new custom volumes will be created inside the project and will not be accessible to other projects (including the default). You can choose to disable this if you want the old behaviour. RBAC support was also updated to add a permission to control who can manage storage volumes.

Existing projects will remain unaffected and new custom volumes created in these projects will continue to be created in the default project. In order to avoid on-disk naming conflicts, the project name needs to be prefixed to all new and existing custom volumes, and as such, on first start of LXD a storage patch will be applied that will rename all existing custom volumes to have the default project name prefixed.

On the VM front, several improvements have been added as we continue to bring the VM feature set to parity with containers. VM Migration support was added, this allows for both cross-pool (on same host) and cross-host copy/move operations for VM instances. VM image publishing and unified image import support was also added. Additionally a bug was fixed in the lxc exec feature for VMs that could cause an infinite polling loop when trying to connect to the lxd-agent in a VM when it wasn’t running.

A fix in distrobuilder was also added related to starting the lxd-agent in OpenRC based VM guests.

On the LXD networking front, following on from our recent nftables support, we have had some reports of nft not working properly on older systems. After investigating we have added a fix for the way that chains are removed to support older versions of nft. Additionally we have also seen that old kernels have issues performing NAT with nftables when the iptables modules are loaded first (even if there aren’t any rules added). As such we have added a restriction for running at least kernel version 5.0 or above before LXD will detect that nftables can be supported.

On the LXC side this past week there has been some work done on hardening the code and cleaning up the code to ensure that resources are released when not being used. Additionally a change was added to ensure that pidfds are used whenever possible to more reliable track the container processes.

LXCFS has also seen various code clean ups, as well as an important bug fix that was causing issues during upgrades to LXCFS 4.0 on some systems where the working directly for LXCFS had been removed in the past. Support for temporarily disabling LXCFS virtualisation has been added by sending a SIGUSR2 to the process.

Contribute to LXD

Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: https://github.com/lxc/lxd/labels/Easy

You can also find a slightly longer, more detailed list here: Contributing to LXD

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

• Virtual machine support
• Distrobuilder virtual machine support
• Storage database cleanup/rework
• Various kernel work
• Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

• Project restrictions
• Storage: Custom volumes in Projects
• API: Storage volumes permission check
• production-setup: add net.core.bpf_jit_limit and kernel.keys.m…
• NIC Routed: Adds support for multiple interfaces
• VM: Migration
• Util: Fixes go vet conversion from int64 to string yields a string of one rune error
• Disk: Only unmounts non-root volumes attached
• lxd/firewall: Don’t create zombies
• VM publish & unified images import
• Images: Allow pruning of expires images in non-default project
• vm: console and exec fixes
• Storage: Updates custom volume rename patch to handle daemon storage
• Firewall: Fix nftables issues on older kernels
• VM: Fixes exec read loop when agent not started
• lxd/instance: Fix expiry check
• lxd: Add “instance” string where necessary
• Smaller bugfixes

LXC

• bugfixes
• commands_utils: fix socket leak when adding state client
• tree-wide: cleanup
• memory_utils: remove unneeded inclusion of mntent.h
• bugfixes
• bugfixes
• commands: make sure to always close the client fd
• fixes
• commands: simplify lxc_cmd_fd_cleanup()
• doc: Add keyring options to Japanese lxc.containers.conf(5)
• pidfds: switch infrastructure to rely on pidfds whenever possible
• bugfixes
• travis: enable all architectures
• memory_utils: improvements
• smaller cleanups and simplifications

LXCFS

• configure: add -Wvla and -std=gnu11
• lxcfs: fix shared library reload
• liblxcfs: handle broken upgrades gracefully
• usage: Fix cfs help
• proc_fuse: port to uint64_t
• tree-wide: use {u}int64_t types
• lxcfs: allow users to switch between virtualization and non-virtualization mode
• test_sigusr2: improve tests
• bindings: introduce set_signal_handler

Distrobuilder

• main,shared: Fix undefined image target
• chroot: Perform package refresh only when needed
• generators/lxd-agent: Fix openRC service file

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week

Snap

• Added support for nftables
• Cherry-picked various LXD and LXCFS fixes
• Added lxcfs.cfs config option
• Extended lxd.buginfo with details on projects and profiles
• Released LXD 3.22 to the stable channel