Weekly status for the week of the 19th of October to the 25th of October.
Introduction
The highlight of the past week was the release of both LXD 4.0.4 LTS and LXC 4.0.5 LTS
Both releases are for their respective 4.0 LTS series which are supported until June 2025.
Please see the release notes for more information.
LXD
The main feature added to LXD this past week was the integration of TPM (Trusted Platform Module) emulation functionality using libtpms (via swtpm). This support comes via a new instance device type called tpm. This can be added to both containers and virtual machines to provide /dev/tpm devices to the instance.
E.g.
lxc config device add <instance> my-tpm tpm path=/dev/tpm0
Please see the https://linuxcontainers.org/lxd/docs/master/instances#type-tpm for more information.
Because of the persistent nature of TPM, adding support for this also required modifying the order of device startup to occur after the instance’s root disk is mounted (so that the device’s persistent state is available).
On the networking front there we have added support for selectively disabling either IPv4 or IPv6 on OVN networks by allowing the network’s ipv4.address or ipv6.address to be set to none (the same as the bridge network type).
Also for OVN, we have made changes to the recently added external IP pass-through feature by simplifying the configuration. You no longer needed to specify the routes allowed for use by instance NICs at the parent network level. Instance NIC routes are now validated directly against the parent network’s uplink routes and the instance’s project subnets. This has meant that we have removed the ipv4.routes.external and ipv6.routes.external settings from ovn networks (and if these are set we have a patch that will remove them when LXD is upgraded).
There have also been a couple of network related fixes; firstly a recent patch to add the ipv4.nat and ipv6.nat keys to existing OVN networks (to accommodate being able to disable NAT) introduced an issue on older bridge networks that prevented LXD startup due the description field on the network being NULL. The affected function has been updated to fix this issue.
Secondly the meaning of a missing ipv4.nat key for bridge networks when using fan mode has changed to bring it inline with the documentation and the meaning of it when using a non-fan bridge. Previously a missing ipv4.nat key on a fan bridge would mean that NAT should be enabled. However this was the opposite behaviour than when using a non-fan bridge. This has now been fixed, and any existing fan bridges without an ipv4.nat key will have one added with a value of true when LXD is upgraded to maintain existing behaviour.
On the storage side, an issue affecting musl systems that prevented creating ZFS volumes due to argument ordering has been fixed. Also we have fixed an issue related to forwarding API requests for storage volumes in non-default projects.
On the general instance side, a restarted event has been added for both containers and virtual machines. And an issue preventing instance move when security.protection.delete was enabled has been fixed.
Finally, on s390x architecture support for USB devices have been removed as s390x doesn’t actually support USB.
LXC
An issue when using devptfs_fd that was preventing container startup due to a missing response has been fixed.
Youtube channel
We’ve started a Youtube channel with a couple of live streams so far.
You may want to give it a watch and/or subscribe for more content in the coming weeks.
Contribute to LXD
Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors
Upcoming events
-
Open Source Summit Europe (online) (October 26-29)
- Running Your Own VM & Container Cluster at Home by @brauner and @stgraber on the 27th
- Syscall Supervision by @brauner on the 28th
-
Linux Security Summit Europe (online) (October 29-30)
- State of the User Namespace by @brauner and @stgraber on the 30th
Ongoing projects
The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.
- Distrobuilder Windows support
- Virtual networks in LXD
- Various kernel work
- Stable release work for LXC, LXCFS and LXD
Upstream changes
The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.
LXD
- Add TPM device type
- lxd/db/networks: Fix NULL description
- Network: Adds support for “none” in “ipv4.address” and “ipv6.address” settings for OVN
- Network: Only call Validate in OVN’s FillConfig if state is set
- Network: Removes OVN ipv4.routes.external and ipv6.routes.external
- Doc: Re-organises NIC device type docs introducing section about network property
- lxd: Fixes ineffectual assignment warnings
- Instance: Fix a class of bugs related to incorrect log path generation when instance is in non-default project
- init: Clarifies question about using an existing empty disk
- Network: Sets ipv4.nat=true by default for new fan bridges and adds the setting if missing to existing fan bridges
- Disable USB on s390x
- add new “restarted” event to reboot section of onStop in both lxc and qemu
- Fix storage leaks in tests
- Instance: Mount instance volume before devices start
- lxd/storage/zfs: Fix argument ordering
- Storage: Fixes forwarded response if volume is remote to support projects
- lxc/move: Bypass security.protection.delete
- Documentation fixes
- scripts/bash: Fix snap handling
LXC
- startup fixes
- conf: always send response to parent waiting for devptfs_fd
- conf: account for early return when sending devpts fd
- Update Japanese pam_cgfs(8) to reflect lack of support for pure cgroupv2
LXCFS
- Nothing to report this week
Distrobuilder
Distribution work
This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.
Ubuntu
- Nothing to report this week
Snap
- Improved remove logic
- Cherry-picked upstream bugfixes
- Added TPM support
- Updated to LXC 4.0.5
- Updated to LXCFS 4.0.6
- Simplified bash completion logic