Weekly Update Templates(1)960×540 49.9 KB

Introduction

This past week LXD gained support for restricting particular client certificates to particular projects, OVN ACL support and initial work began on automatically generating our API docs.

LXD

LXD now supports assigning one or more projects to a trusted client certificate, with the effect of restricting that client certificate to the equivalent of the operator role on those projects, and denying access to any other projects.

Also related to projects, we now support dumping and recreating project configs when doing lxd init dump or pre-seed.

Following on from the initial Netwok ACL database schema and API endpoints added last week, this past week has seen OVN networks again ACL support. Once ACLs have been created using the lxc network acl create command, they can then be assigned to OVN networks or NIC devices by setting the security.acls config property. ACLs assigned to networks will be automatically assigned to all NICs connected to that network.

We have begun moving our REST API docs to a swagger based automatic generation from the actual code structures and comments. This way the API docs will be kept up to date with the actual API endpoints rather than requiring manual updates each time an API change is made. It is still a work in progress, but to get an idea of how it will function take a look at https://dl.stgraber.org/swag-lxd/

There have also been the usual set of fixes and improvements:

• Storage volume DB records are now removed when a backup import fails.
• The size property on a new BTRFS storage pool is now not automatically generated in scenarios where it is not used (namely when using an existing BTRFS filesystem as the source of the pool).
• When using the shift=true option when attaching a directory disk device to a container, mount options are now passed through to the shiftfs mount, this fixes an issue where combining shift=true and readonly=true didn’t result in the mount in the container being fully readonly.
• An issue with block size handling affecting s390x and other big endian systems was fixed.
• When using bridged network in fan mode, firewall rules were not being added to allow access to the DHCP server due to a recent regression to allow static IP assignment when using fan mode.
• Log removal for instances in non-default projects has now been fixed.
• Moving instances between cluster members using the --target argument now works when the instances are in non-default projects.
• The config drive ISO generation for VMs now uses the joilet filesystem to support filenames longer than 8 characters.

LXC

The work hardening the use of cgroups, fd-only codepaths and mount restrictions has continued apace.

Distrobuilder

Several improvements to better support Windows ISO rebuilds were added in the past week, including support for Windows Server 2016.

Also, the RunScript functionality has been updated to write the script to execute into a temporary memfd in order to support executing the script using a different interpreter than sh which was previously hard coded.

Dqlite

Several bugs have been fixed in relation to barriers which were causing crashes in certain scenarios.

Youtube channel

We’ve started a Youtube channel with live streams covering LXD releases and its use in the wider ecosystem.

You may want to give it a watch and/or subscribe for more content in the coming weeks.

Contribute to LXD

Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors

Upcoming events

• Nothing to report this week

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

• Distrobuilder Windows support
• Virtual networks in LXD
• Various kernel work
• Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

• Network: Support OVN ACLs
• Implement certificate project restrictions
• Instance: Volume cleanup on backup import failure
• Improve deadcode handling
• Storage: Unset irrelevant BTRFS pool size property when creating from existing filesystem and not loop file
• driver_lxc: pass flags to shiftfs mount
• Network: Ensure that DHCP firewall rules are added in bridge fan mode
• Network: Simplify ACL OVN port group creation and updates
• Swagger setup and initial endpoints
• lxd/resources/storage: Rework block size handling
• lxd/storage/drivers/utils: Comment clarify in BlockDiskSizeBytes
• lxd/network/network/utils: Reorders UsedBy to do cheapest search first (stable-4.0)
• Network: Refactors OVNEnsureACLs to be smarter in how it sets up referenced ACLs
• Updated instanceLogDelete function
• lxd/device/disk: Tweak mkisofs flags
• lxd/init: Add projects to dump/init preseed
• Network: Adds full unused OVN ACL port group clean up
• Instance: Respect instance project when moving instance to cluster target

LXC

• cgroups: first batch of cgroup mounting fixes
• cgroups: tighten cgroup config items
• cgroups: second batch of cgroup fixes
• cgroups: fixes
• cgroups: fd-only cgroup tree pruning
• cgroups: rework unified cgroup controller delegation
• cgroups: third batch of cgroup fixes
• cgroups: fourth batch of cgroup fixes
• cgroups: fixes & bpf rework
• console: fixes
• bpf: device cgroup improvements
• apparmor: prefer /proc/…/attr/apparmor/current over legacy interface
• lsm: fixes

LXCFS

• Nothing to report this week

Distrobuilder

• generators: Fix lxd-agent
• windows: Add support for Windows Server 2016
• windows: Determine correct Windows paths
• Added support for changing interpreter with shebang in RunScript

Dqlite (RAFT library)

• Mbordere/barrier wait for segments
• Mbordere/update build
• Mbordere/fix hanging barrier

Dqlite (database)

• Nothing to report this week

Dqlite (Go bindings)

• Nothing to report this week

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week

Snap

• Nothing to report this week