Weekly status for the week of the 5th of April to the 11th of April.
Introduction
The highlight of the past week was the release of LXD 4.13 which includes most of changes from the past week. Please take a look at the release notes for more information.
The LXD team is hiring
Canonical Ltd. is expanding its investment into LXD with a total of 5 additional roles.
The primary focus of this effort is around scalability and clustering as well as developing compelling solutions using LXD for our customers.
All LXD positions are 100% remote with some travel for internal events and conferences.
LXD
In addition to the more flexible snapshot schedule feature described in the 4.13 release notes, there were also a number of bug fixes and improvements made in the past week.
The network firewall subsystem (which is responsible for abstracting the firewall drivers for nftables and xtables used with bridge networks) has been seeing some modifications in order to accommodate the forthcoming ACL support. Firstly the xtables driver has been modified to use a per-network specific chain for NIC level filtering rules. This achieves two benefits; it ensures that the NIC filtering rules are not affected by rule changes in the main xtables chains (which can happen when LXD is reloaded and the network level base rules are re-applied), it also reduces the amount of rules that have to be evaluated as only the NIC rules for the relevant network are evaluated.
The nftables firewall driver has also seen some improvements. We have moved to using a combined inet nftables family rather than separate ip and ip6 family tables. This simplifies LXD rule management, and allows for rule reduction by not needing to add IP address agnostic rules to both the ip and ip6 tables.
There have also been improvements in the image replication logic used with LXD clusters to reduce the amount of traffic caused immediately after joining a new member to a cluster.
An issue that was preventing copying a VM snapshot to another LXD remote has been fixed in the lxc client.
A storage bug that was preventing import of optimized ZFS VM backups has been fixed.
Also related to VMs, we have restricted the use of Qemu virtiofs to Intel architectures only, due to instabilities on ARM architectures.
LXC
This past week has seen continued fixes from oss-fuzz, as well as improved hardening of the config parser, and a fix for handling spaces in $PATH variable in image templates.
Distrobuilder
A fix for the CentOS 8 Stream public GPG key has been applied.
Dqlite (RAFT library)
Several fixes have been applied in the past week to address scalability and inconsistent state issues.
Youtube channel
We’ve started a Youtube channel with live streams covering LXD releases and its use in the wider ecosystem.
You may want to give it a watch and/or subscribe for more content in the coming weeks.
Contribute to LXD
Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors
Upcoming events
- Nothing to report this week
Ongoing projects
The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.
- Distrobuilder Windows support
- Virtual networks in LXD
- Various kernel work
- Stable release work for LXC, LXCFS and LXD
Upstream changes
The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.
LXD
- lxc/lxd: More flexible snapshot schedule
- client: Fixes GetContainerLogfiles and GetInstanceLogfiles
- doc/metadata: Adds remotes section
- Firewall: Add chain for NIC specific security filtering rules.
- lxd/instance/drivers: Restrict virtiofs to Intel architectures
- shared/validate: Allow uppercase letters in PCI addresses
- lxd/cluster: Don’t copy all images on startup
- Fix cluster image replication logic
- Firewall: Switch to using network-specific NIC filtering chain in xtables driver
- Add Hourly() function to task schedule
- lxd/operations: Fix possible NPE
- Storage: Only mount instance filesystem volumes in postHook for ZFS CreateVolumeFromBackup
- Firewall: Changes nftables to use a single inet table rather than separate ip and ip6 tables
- client: Fix copy of VM snapshots
- tests: Fix failure on 5.11 kernel
LXC
- oss-fuzz: fuzz lxc_config_define_add and lxc_config_define_load
- conf: fix setups where /dev is outside of LXC’s control
- templates/*.in: fixed PATH handling with spaces
- confile & log: fixes
- github: Try to fix action naming
- confile: make lxc_get_config() and lxc_get_config_net() always return…
LXCFS
- Nothing to report this week
Distrobuilder
Dqlite (RAFT library)
Dqlite (database)
- Nothing to report this week
Dqlite (Go bindings)
- Nothing to report this week
Distribution work
This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.
Ubuntu
- Nothing to report this week
Snap
- lxd: Bump to 4.13
- edk2: Bump to 202102
- ovn: Bump to 21.03.0
- sqlite: Bump to 3.35.4
- squashfs-tools-ng: Bump to 1.1.0
- zfs: Bump to 2.0.4