Weekly status #194


Weekly status for the week of the 12th of April to the 18th of April.

Introduction

The largest feature to land in the past week is firewall ACL support for LXD bridge networks. As well as the usual set of fixes and improvements.

The LXD team is hiring

Canonical Ltd. is expanding its investment into LXD with a total of 5 additional roles.
The primary focus of this effort is around scalability and clustering as well as developing compelling solutions using LXD for our customers.

All LXD positions are 100% remote with some travel for internal events and conferences.

LXD

Network ACL support for bridge networks was added last week. This uses the same ACL concept as the OVN ACL support we added a few weeks ago, however rather than using the built-in ACL support that OVN has, instead we translate the ACL rules into the equivalent firewall rules for the active firewall driver (either nftables or xtables).

This new functionality allows you to define ACL firewall rules in an ACL group, and then apply those rules to one or more bridge networks. LXD will then maintain those rules in the underlying firewall on your LXD host.

Due to some limitations in nftables, and even more in xtables, we have chosen the lowest common denominator approach for supporting ACL features with these drivers. This means there are some limitations to ACLs being applied to bridge networks compared to ovn networks. Please see https://github.com/lxc/lxd/blob/master/doc/network-acls.md#bridge-limitations for more detail.

For ACL usage please see https://linuxcontainers.org/lxd/docs/master/network-acls

There have also been some fixes and improvements in the past week:

  • Network ACL rules now allow source/destination subjects to be specified using single IP addresses rather than CIDRs.
  • Image download locks have been added to prevent conflicts in downloading images and creating the associated DB records when launching multiple instances concurrently that require the same image to be downloaded.
  • An issue that was preventing container restart when attaching a USB device has been fixed.

LXC

Over the past week there has been a focus on improving the LXC tests, which has resulted in several memory leaks in them being fixed, and more automated tests being added.

Distrobuilder

A new yum repo was added to CentOS 8-stream images called CentOS-Appstream.

Dqlite (RAFT library)

A fix landed 2 weeks ago to prevent orphaned snapshot files being left behind and following on from that last week an additional fix was added to delete any orphaned snapshot files to prevent them from accumulating.

Youtube channel

We’ve started a Youtube channel with live streams covering LXD releases and its use in the wider ecosystem.

You may want to give it a watch and/or subscribe for more content in the coming weeks.

Contribute to LXD

Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors

Upcoming events

  • Nothing to report this week

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

  • Distrobuilder Windows support
  • Virtual networks in LXD
  • Various kernel work
  • Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

LXC

LXCFS

  • Nothing to report this week

Distrobuilder

Dqlite (RAFT library)

Dqlite (database)

  • Nothing to report this week

Dqlite (Go bindings)

  • Nothing to report this week

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

  • Nothing to report this week

Snap

  • lxd: Cherry-pick upstream bugfixes