Weekly status for the week of the 3rd of August to the 9th of August.
Introduction
The highlight of the past week were the releases of LXC 4.0.4 LTS and LXCFS 4.0.5 LTS. Please see the release notes for more information.
LXD
This past week has primarily been focusing on bug fixes and improvements of existing features after the recent 4.4 release, as well as continuing laying the groundwork for the upcoming OVN network support.
However, we have also added initial support for running bpf programs inside unprivileged containers using the seccomp syscall interception feature. In addition to that native terminal allocation is now supported in a safe way, and there have been some optimisations added to the seccomp subsystem to reduce the number of syscalls needed.
An issue with the automatic stable MAC address for bridged networks introduced caused issues with fan networking, so stable MAC addresses have been disabled when using fan networks (as every node needs its own unique MAC address).
Support for running dnsmasq inside when using nested LXD has been added to the AppAmor rules.
Support for using recent versions of rsync have been added (this is used when copying containers between nodes).
We have started using the race detector built into the Go compiler to detect race conditions and a first pass of this has resulted in several races being fixed.
LXC
Supporting work needed for allocating terminal devices safely inside a container was added.
Improvements in the seccomp notify system were added which is used by the LXD syscalls interception system.
A memory leak in the config parse was fixed, as well as an issue with the retry loop in lxd-download.
Distrobuilder
Support for handling multiple matching upstream images was added, with the first matching item used.
In addition to this support for the Luet package manager (used by Sabayon Linux and Mocaccino OS) was added.
Upcoming events
- OSTConf (online, 10 -13 August 2020)
Ongoing projects
The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.
- Distrobuilder Windows support
- Virtual networks in LXD
- Various kernel work
- Stable release work for LXC, LXCFS and LXD
Upstream changes
The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.
LXD
- Validate: Makes shared/validate helpers non-optional
- Network: Validate network name differently based on network type
- daemon: check whether shiftfs is useable
- lxd: enable safe native container terminal allocation
- Network: Small miscellaneous networking tweaks
- Locking: Moves generic locking package out of storage namespace
- Fix total memory for per NUMA node
- lxd/rsync: Don’t pass --bwlimit when no limits set
- Storage: LVM test tweaks and races fixes
- exec: fix OpenPtyInDevpts()
- LXD: Races
- Network: Name validation changes
- Validate: Adds Required() and makes Optional() accept multiple validators
- seccomp: enable bpf in unprivileged containers
- Network: Don’t generate volatile.bridge.hwaddr in fan mode or allow static hwaddr to be set
- seccomp: check the return value of pwrite()
- exec: switch to close_range()
- lxd/apparmor/dnsmasq: Add binary for nesting
LXC
- conf: ensure that the idmap pointer itself is freed
- terminal: safely allocate pts devices from inside the container
- macro: define TIOCGPTPEER if missing
- seccomp: don’t close the mainloop, simply remove the handler
- seccomp: add seccomp_notify_fd_active api extension
- api-extension: add missing seccomp_proxy_send_notify_fd extension
- lxc-download fixes
LXCFS
- Nothing to report this week
Distrobuilder
Distribution work
This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.
Ubuntu
- Nothing to report this week
Snap
- configure: Fix some scripting issues
- upgrade-bridge: Fix handling on systems with translated LXD client
- shmounts: Fix failures on EBUSY
- daemon.start: Use persistent devpts