Weekly status for the week of the 10th of August to the 16th of August.
Introduction
The highlight of the past week were the releases of LXD 4.0.3 LTS and LXD 2.0.12 LTS. Please see the release notes for more information.
LXD
On the LXD front, this past week has seen the initial support for OVN networks has been merged along with a fix for the issues introduced recently with the stable MAC change for LXD managed bridge networks that prevented new nodes to join clusters when using networks created pre LXD 4.4. We have now changed our approach to use a ‘stable random’ MAC address for the bridge interface using a predictable seed to allow a stable MAC address for bridge interfaces in a cluster, whilst still allowing multiple standalone nodes on the same external network segment to coexist without MAC conflicts.
A race condition that could cause an LXD crash when stopping a VM has been fixed.
On the storage side, several improvements to the ceph storage driver have been added, including improved clean up when deleting ceph storage pools where the remote volumes have already been removed. An issue that in certain circumstances left orphaned ceph volume snapshots has been fixed.
An issue with the scheduled snapshot feature not actually taking snapshots has been fixed.
On the cluster side, an improvement to prevent issues when upgrading from pre LXD 3.20 has been added to ensure that outstanding raft changes are completed serially.
On the security side, the forkdns
process that provides DNS forwarding functionality for cluster nodes has been confined using AppAmor rules and is now run as an unprivileged user. There have also been several improvements to our seccomp handling code to be more resilient and check for more error scenarios. The cgroupv2 AppAmor rules are now disabled on legacy hosts.
LXC
On the LXC front, there has been various work on improving the security of terminal allocation and LSM hardening. On the terminal side, the /dev directory is now setup using file descriptors and terminal allocation has been hardened. The LSM layer has been rewritten to avoid calling the apparmor_parser on every shared library invocation. This unblocks using AppArmor profiles for most of our subcommands,
Distrobuilder
Distrobuilder had a small fix to get the Apertis build tests working again by removing older releases.
Upcoming events
- Nothing to report this week
Ongoing projects
The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.
- Distrobuilder Windows support
- Virtual networks in LXD
- Various kernel work
- Stable release work for LXC, LXCFS and LXD
Upstream changes
The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.
LXD
- Network: OVN
- Network: Allow an LXD 4.4 node to join a cluster where the networks were created before LXD 4.4
- lxd/storage/drivers/ceph: Fix volume deletion
- VM: Fix race in onStop getting operation
- lxd/db: Fix premature failure when listing cluster volumes
- Update production setup doc
- lxd: Fix automatic storage volume snapshots
- cluster: Don’t upgrade nodes without raft role concurrently
- Reduce privileges and confine forkdns
- Network: Validates DHCP ranges
- Network: Adds shared IPRange struct
- Ceph cluster fixes
- seccomp: cap instruction limit and log buffer to reasonable sizes
- seccomp: fixes and improvements
- lxd/apparmor: Disable cgroup2 on legacy hosts
- lxc/manpage: Fix behavior in snap
- Move forkproxy to using subprocess
LXC
- openat2() and safe mounting
- conf: terminal and /dev hardening
- lsm: rewrite
- lsm: remove the need for atomic operations
LXCFS
- Nothing to report this week
Distrobuilder
Distribution work
This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.
Ubuntu
- Nothing to report this week
Snap
- Refreshed LXD 2.0 packaging for 2.0.12 release
- Tweaked LXD appliance storage configuration
- Bumped QEMU to 5.1.0
- Bumped squashfs-tools-ng to 1.0.1
- Bumped nvidia-container to 1.2.0