Weekly status #161

News
, , , ,
1

Weekly Update Templates (2)
Weekly Update Templates (2)960×540 47.7 KB

Weekly status for the week of the 10th of August to the 16th of August.

Introduction

The highlight of the past week were the releases of LXD 4.0.3 LTS and LXD 2.0.12 LTS. Please see the release notes for more information.

LXD

On the LXD front, this past week has seen the initial support for OVN networks has been merged along with a fix for the issues introduced recently with the stable MAC change for LXD managed bridge networks that prevented new nodes to join clusters when using networks created pre LXD 4.4. We have now changed our approach to use a ‘stable random’ MAC address for the bridge interface using a predictable seed to allow a stable MAC address for bridge interfaces in a cluster, whilst still allowing multiple standalone nodes on the same external network segment to coexist without MAC conflicts.

A race condition that could cause an LXD crash when stopping a VM has been fixed.

On the storage side, several improvements to the ceph storage driver have been added, including improved clean up when deleting ceph storage pools where the remote volumes have already been removed. An issue that in certain circumstances left orphaned ceph volume snapshots has been fixed.

An issue with the scheduled snapshot feature not actually taking snapshots has been fixed.

On the cluster side, an improvement to prevent issues when upgrading from pre LXD 3.20 has been added to ensure that outstanding raft changes are completed serially.

On the security side, the forkdns process that provides DNS forwarding functionality for cluster nodes has been confined using AppAmor rules and is now run as an unprivileged user. There have also been several improvements to our seccomp handling code to be more resilient and check for more error scenarios. The cgroupv2 AppAmor rules are now disabled on legacy hosts.

LXC

On the LXC front, there has been various work on improving the security of terminal allocation and LSM hardening. On the terminal side, the /dev directory is now setup using file descriptors and terminal allocation has been hardened. The LSM layer has been rewritten to avoid calling the apparmor_parser on every shared library invocation. This unblocks using AppArmor profiles for most of our subcommands,

Distrobuilder

Distrobuilder had a small fix to get the Apertis build tests working again by removing older releases.

Upcoming events

  • Nothing to report this week

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

  • Distrobuilder Windows support
  • Virtual networks in LXD
  • Various kernel work
  • Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

LXC

LXCFS

  • Nothing to report this week

Distrobuilder

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

  • Nothing to report this week

Snap

  • Refreshed LXD 2.0 packaging for 2.0.12 release
  • Tweaked LXD appliance storage configuration
  • Bumped QEMU to 5.1.0
  • Bumped squashfs-tools-ng to 1.0.1
  • Bumped nvidia-container to 1.2.0