Weekly status for the week of the 29th of June to the 5th of July.
Introduction
The highlight of the past week was the release of LXD 4.3 and LXCFS 4.0.4. Please see the release notes for more information.
LXD
Virtual machines have gained support for the /dev/lxd device this past week. We also improved the way that memory is pinned to CPU in NUMA environments. Also memory related, we now detect and passthrough a hugetlbfs instance mount point if available.
VMs now allow the same custom volume to be concurrently used in multiple VMs (however this requires the filesystem being used to support concurrent use). Ephemeral VM support was also added.
On the clustering side, we have now added support for failure domains. This allows one to specify which failure domain a voting member belongs to, so that when a node is lost, a replacement node will be chosen from the same failure domain (if possible). This reduces the chance that losing a physical failure domain (such as power circuit, availability zone or VM host) can result in the database losing quorum and going offline.
LXC image exporting now supports exporting to /tmp when installed from the snap package.
Project names are now better validated to avoid situations where a project name (containing spaces) can cause issues with some underlying subsystems.
We now filter selinux xattr when rsyncing container (if supported by rsync) to avoid issues when copying containers when running selinux on the host.
The whitelist & blacklist terminology for the security.syscalls.* settings have been replaced with “allow” and “deny” equivalent settings.
LXC
On the LXC side, support for cloning directly into a cgroup has been added.
A fix has been added to attach to set PR_SET_NO_NEW_PRIVS after the LSM label has been added, to make consistent with normal container startup.
Terminology updates to change whitelist & blacklist settings to allowlist and denylist have been added, whilst maintaining support for the existing settings.
The lxc-download template has also some improvements with regards to gpg response handling.
An issue attaching BPF programs in a pure cgroupv2 environment has been fixed.
Distrobuilder
The Ubuntu example has been updated to use Focal.
Contribute to LXD
Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors
Upcoming events
- Nothing to report this week
Ongoing projects
The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.
- Virtual machine support
- Distrobuilder Windows support
- Various kernel work
- Stable release work for LXC, LXCFS and LXD
Upstream changes
The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.
LXD
- doc/storage: Document block storage volumes
- lxd/util: Detect hugetlbfs mount point
- Fix misleading nodes are behind error message
- forksyscall: use nsids for shiftfs syscall intercepts
- Drop database role from nodes roles table
- lxd/storage: Fix regression in truncate handling
- Plug go-dqlite roles logic into LXD
- lxd/cluster: Only look up raft_nodes for resolving the address of node 1
- lxd/project: Add more name checks
- doc/server: Cover listen + authentication
- Failure domains support
- Support /dev/lxd in VMs
- lxd/qemu: Don’t do file lock on custom volumes
- config key & terminology fixes
- Rsync version detection and various small fixes
- lxc/instance/drivers/qemu: Support ephemeral VMs
- lxd/qemu: Use memory backend ram/file
- lxc/image: Fix dir handling on snap
- lxd/qemu: Fix crash on non-pinned VM
- lxc/image: Fix more dir handling on snap
LXC
- lxc: support CLONE_INTO_CGROUP
- clone_into_cgroup: fixes
- attach: set no_new_privs flag after LSM label
- templates/lxc-download.in: fix wrong if-condition
- templates/lxc-download.in: use GPG option “–receive-keys”
- fixes
- api-extensions: add seccomp_allow_deny_syntax extension
- cgroups: fix bpf device program generation
- cgroups: handle empty bpf log buffer
- tree-wide: update terminal terminology once more
LXCFS
- Nothing to report this week
Distrobuilder
Distribution work
This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.
Ubuntu
- Nothing to report this week
Snap
- Updated to LXD 4.3
- Updated nft to 0.9.6
- Cherry-picked upstream LXD bugfixes
- Added NUMA support to QEMU build
- Added some logic to handle Ubuntu Core appliances