Weekly status for the week of the 26th of April to the 2nd of May.
Introduction
This past week saw the release of Dqlite 1.7.0 and associated Dqlite Raft 0.10.1 release. Both of these are bug fix releases to improve the stability and performance of Dqlite.
LXD also gained a new persistent warnings feature.
The LXD team is hiring
Canonical Ltd. is expanding its investment into LXD with a total of 5 additional roles.
The primary focus of this effort is around scalability and clustering as well as developing compelling solutions using LXD for our customers.
All LXD positions are 100% remote with some travel for internal events and conferences.
LXD
Over the last week LXD gained a new persistent warnings API and associated lxc warning command set. The purpose of this feature is to allow LXD to record and expose structured warnings that it has detected.
These warnings will remain viewable with lxc warning ls and lxc warning show until they are acknowledged using lxc warning acknowledge, deleted using lxc warning delete or resolve themselves. Acknowledged warnings will not reappear in the list while they remain in the database. A deleted warning may reappear if the scenario that caused the original warning reoccurs. If a warning resolves itself it is automatically removed from the database after 24 hours. We will be adding more persistent warnings to this subsystem in the future.
We have also been working on improving cluster security. LXD uses mutual TLS to authenticate API requests from remote clients (including other LXD cluster members). Previously when LXD cluster members needed to communicate with each other they would use the same certificate that is used as the API service certificate (the so called “cluster certificate”) as their client certificate. Effectively this made all the LXD cluster members appear as the same client when performing intra-cluster operations. This doesn’t become an issue until a cluster member is removed from the cluster. At this point it remained possible for the member that left the cluster to continue to access the other cluster members using the cluster certificate and key it has. This was an undesirable scenario, and so we have modified LXD to have each cluster member use a unique certificate for intra-cluster communications (a so called "server certificate). Then each cluster member has its certificate added to the LXD global trust store when joining the cluster, and it is removed when a member is removed from the cluster. At this point the removed member can no longer access the other members as its certificate is no longer trusted.
We have also increased the minimum supported kernel version for nftables firewall from 5.0 to 5.2. This is in order to support NAT rules using the shared inet table type (for IPv4 and IPv6). LXD will fallback to using xtables for older kernel versions.
Dqlite (Go bindings)
As well as the releases for Dqlite and Dqlite (RAFT library), the Dqlite Go bindings has also had a .dump command added to the cli.
Youtube channel
We’ve started a Youtube channel with live streams covering LXD releases and its use in the wider ecosystem.
You may want to give it a watch and/or subscribe for more content in the coming weeks.
Contribute to LXD
Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors
Upcoming events
- Nothing to report this week
Ongoing projects
The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.
- Distrobuilder Windows support
- Virtual networks in LXD
- Various kernel work
- Stable release work for LXC, LXCFS and LXD
Upstream changes
The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.
LXD
- Add persistent warnings and warnings API
- Cluster: Use per-member server certs
- IP package
- Certificates: PKI test improvements
- Add initial CGroup warnings
- Revert “lxd/instance/qemu: Move to query-cpus-fast”
- Firewall: Require kernel version >= 5.2 for nftables driver to allow support for inet table NAT rules
- lxd/images: Specify image type during distribution
- Operations: Updates imageValidSecret to check across all cluster members not just local operations
LXC
- oss-fuzz: switch to --enable-fuzzers
- rootfs rework
- storage/dir: cleanup mount code
- api-extensions: add entry for idmapped_mounts
- storage: fix dup_cloexec() call
- cgroups: fix fallback attach codepath
- oss-fuzz: always turn off logging on OSS-Fuzz
LXCFS
- Nothing to report this week
Distrobuilder
- sources/funtoo: Handle missing releases
- managers/zypper: Add --replacefiles flag to install
- main: Consider the case of boot.wim and install.wim
Dqlite (RAFT library)
Dqlite (database)
- Fixed the segfault in case raft uses direct IO backend
- vfs: Allow skipping a page when writing past PENDING_BYTE
- Style fix: spaces to tabs indent
- server.c: Fix strncat warning
- server: Lower default HeartBeat timeout.
- Release v1.7.0
Dqlite (Go bindings)
Distribution work
This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.
Ubuntu
- Nothing to report this week
Snap
- lxd: Cherry-pick upstream bugfixes
- lxc: Bump to 4.0.8
- lxcfs: Bump to 4.0.8