Weekly Update Templates(1)960×540 49.7 KB

Introduction

The highlight of the past week was the release of both LXD 4.11 and LXD 4.0.5 LTS

The LXD 4.0.5 release is part of the 4.0 LTS series which is supported until June 2025.
Please see the release notes for more information.

LXD

In addition to the releases, there has also been a focus on API improvements, with the following changes:

• Storage volume state API was added and associated usage column in lxc storage volume list command. See LXD 4.11 release notes notes for more info.
• The /1.0/storage-pools/{pool}/volumes/{type}/{name} API endpoint now no longer accepts modifying a snapshot volume’s description. This is a left over behaviour from an earlier version of the lxc client tool. Instead to edit a snapshot volume’s description one should use the /1.0/storage-pools/{pool}/volumes/{type}/{name}/snapshots/{snapshotName} API endpoint.
• The URLs generated by LXD for downloading images have been sanitised to improve compatibility with third party image servers (such as S3).
• The LXD client package has had SetInstanceMetadata renamed to UpdateInstanceMetadata to align with other function names, and UpdateInstanceTemplateFile has been removed, as CreateInstanceTemplateFile is equivalent.
• Missing PATCH API endpoints have been implemented.
• Improvements to PCI and USB address parsing in the resources API.

On the VM front we have also added improvements for our Qemu QMP protocol handling to lay the foundations for stateful stop of a VM, as well as fixing a crash with virtiofsd when sharing a directory between the host and a VM with CPU limits in place due to an inconsistent use of ram and memfd.

An improvement to the LXD container’s default seccomp filter was added to block openat2 syscalls when seccomp syscall supervision is enabled. And a potential scenario where LXD could leave zombie processes around when an attach to a container fails has been fixed.

LXC

Work has started to switch all of LXC to only operate on file descriptors instead of paths whenever possible. This work will be ongoing over a couple of weeks or months and will focus on making extensive use of the new lookup restrictions that openat2() provides. The goal is to enable LXC to always do lookups and file or directory creations relative to a well-known and safe starting point and scope all further path resolution beneath this safe starting point, returning an error when an escape is detected. Part of this work is the switch to the new mount api which allows for file-descriptor based mounting.

Youtube channel

We’ve started a Youtube channel with live streams covering LXD releases and its use in the wider ecosystem.

You may want to give it a watch and/or subscribe for more content in the coming weeks.

Contribute to LXD

Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors

Upcoming events

• Nothing to report this week

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

• Distrobuilder Windows support
• Virtual networks in LXD
• Various kernel work
• Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

• simplestreams: Review and sanitize urls join
• lxd/storage: Cleanup volume API endpoints
• doc/instances: Tweaks to make device type linking work
• doc/storage: Add mention of zfs.remove_snapshots
• Fix incorrect client function naming
• Implement missing PATCH endpoints
• Add storage volume state API and client integration
• lxd/instance/qemu: Don’t use the RAM backend
• Fix image removal for remote pools
• Tweak to PCI and USB addresses in resources API
• containers: Attach of The Living Dead
• seccomp: block openat2()
• Cleanup and extend our QMP handling

LXC

• attach: rework id handling
• cgroups: remove pointless NULL checks
• attach: harden open() calls
• attach: bugfixes
• attach & cgroup hardening
• cgroup2: only rely on command socket when getting cgroup values
• conf: open hardening & fd-only operations
• attach: attach to namespaces via pidfds
• conf: harden various mount paths
• cgroups: fix cgroup mounting
• cgroups: fix cgroup mounting
• Tiny fixes in attach and utils
• conf: implement lxc.init.groups
• mount: extend support for the new mount api
• mount_utils: initialize fd

LXCFS

• Nothing to report this week

Distrobuilder

• Nothing to report this week

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week

Snap

• lxd: Bump to 4.11
• libnftnl: Bump to 1.1.9
• nftables: Bump to 0.9.8
• nvidia: Bump to 1.3.2
• ovs: Bump to 2.14.1
• sqlite: Bump to 3.34.1
• squashfs: Bump to 1.0.4
• zfs: Bump to 2.0.2
• lxd: Cherry-pick upstream bugfixes