Weekly Update Templates(3)960×540 53.2 KB

Introduction

The largest feature to land in the past week is firewall ACL support for LXD bridge networks. As well as the usual set of fixes and improvements.

The LXD team is hiring

Canonical Ltd. is expanding its investment into LXD with a total of 5 additional roles.
The primary focus of this effort is around scalability and clustering as well as developing compelling solutions using LXD for our customers.

All LXD positions are 100% remote with some travel for internal events and conferences.

LXD

Network ACL support for bridge networks was added last week. This uses the same ACL concept as the OVN ACL support we added a few weeks ago, however rather than using the built-in ACL support that OVN has, instead we translate the ACL rules into the equivalent firewall rules for the active firewall driver (either nftables or xtables).

This new functionality allows you to define ACL firewall rules in an ACL group, and then apply those rules to one or more bridge networks. LXD will then maintain those rules in the underlying firewall on your LXD host.

Due to some limitations in nftables, and even more in xtables, we have chosen the lowest common denominator approach for supporting ACL features with these drivers. This means there are some limitations to ACLs being applied to bridge networks compared to ovn networks. Please see https://github.com/lxc/lxd/blob/master/doc/network-acls.md#bridge-limitations for more detail.

For ACL usage please see https://linuxcontainers.org/lxd/docs/master/network-acls

There have also been some fixes and improvements in the past week:

• Network ACL rules now allow source/destination subjects to be specified using single IP addresses rather than CIDRs.
• Image download locks have been added to prevent conflicts in downloading images and creating the associated DB records when launching multiple instances concurrently that require the same image to be downloaded.
• An issue that was preventing container restart when attaching a USB device has been fixed.

LXC

Over the past week there has been a focus on improving the LXC tests, which has resulted in several memory leaks in them being fixed, and more automated tests being added.

Distrobuilder

A new yum repo was added to CentOS 8-stream images called CentOS-Appstream.

Dqlite (RAFT library)

A fix landed 2 weeks ago to prevent orphaned snapshot files being left behind and following on from that last week an additional fix was added to delete any orphaned snapshot files to prevent them from accumulating.

Youtube channel

We’ve started a Youtube channel with live streams covering LXD releases and its use in the wider ecosystem.

You may want to give it a watch and/or subscribe for more content in the coming weeks.

Contribute to LXD

Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors

Upcoming events

• Nothing to report this week

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

• Distrobuilder Windows support
• Virtual networks in LXD
• Various kernel work
• Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

• Firewall: Changes nftables to use a single inet table rather than separate ip and ip6 tables
• Network: Allow single IP in ACL source & destination subjects
• Firewall: Add ACL support for use with nftables and xtables firewall drivers
• forkexec: log more failures
• Firewall: Revert “lxd/firewall/drivers/drivers/xtables: Don’t check for existing rule in iptablesAdd”
• Image: Add image locks when downloading images
• Firewall: Only add multiple proxy masquerade hairpin NAT rules if connect port range used
• Network: Improve ACL rule validation
• Firewall: Fix typo in validation error message
• lxd/project: Only consider syscall interception as low-level
• Images: Improve download error messages
• Test: Fix NIC bridged ACL tests
• lxd: don’t set device cgroup values for unpriv containers
• lxd/storage: Re-introduce cluster distribution of volume snapshots

LXC

• conf: idmaptool fixes
• attach: fixes
• tests: fix a memory leak in cgpath
• tests: fix a memory leak in lxcpath
• tests: fix a memory leak in cgpath
• tests: fix a memory leak in attach
• lxccontainer: fix container creation error paths
• lxc_clone & configure fix
• tests: switch to the “busybox” template in lxc-test-checkpoint-restore
• tests: stop cutting off right square brackets in share_ns
• tests: pass on ASAN/UBSAN options to several tests
• apparmor: turn bytes into null-terminated strings before calling strcspn

LXCFS

• Nothing to report this week

Distrobuilder

• sources/centos: Fix centos-stream-repos package on 8-Stream

Dqlite (RAFT library)

• uv_fs: Remove orphaned snapshot files on init

Dqlite (database)

• Nothing to report this week

Dqlite (Go bindings)

• Nothing to report this week

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week

Snap

• lxd: Cherry-pick upstream bugfixes

Can you please offer some details about limitation of nftables? Does those limitation still exist? I am interested in applying ACL on intra-bridge traffic. I can do this if I apply manually nftables rules, but I am curious if could be implemented also in ACL