Weekly status for the week of the 14th of June to the 20th of June.

Introduction

Last week the LXD latest/stable snap channel’s base image was changed from core18 (based on Ubuntu 18.04 LTS) to core20 (based on Ubuntu 20.04 LTS). This refreshes the underlying base OS components that LXD uses. This has enabled the use of the LXD bridged NIC security.port_isolation feature (now that the new version of iproute2 is available).

However due to changes in the underlying software components provided by the snap there were some transitional issues. These have been documented here so if you are experiencing any issues with LXD 4.15 please do check there first.

Moving our IRC presence to Libera Chat

Our IRC (live chat) channels have moved from Freenode over to Libera Chat.
You can now find us in #lxc and #lxc-dev on irc.libera.chat.
A web chat client can be found here: Kiwi IRC

The LXD team is hiring

The LXD team at Canonical is currently looking for a Go software engineer to join our distributed team of engineers. We’re looking for candidates anywhere in Europe or the Americas!

All LXD positions are 100% remote with some travel for internal events and conferences.

LXD

As well as the core20 base snap change above, there have also been several new features added in the last week along with the usual set of bug fixes and improvements.

New features:

• The cluster certificate and private key can now be changed using the new lxc cluster update-certificate command and associated API endpoint /1.0/cluster/certificates. This allows easier automation (e.g. using LetsEncrypt) to programmatically change the cluster certificate across all cluster members.

• The bridged NIC’s security.ipv{n}_filtering feature can now be used when the parent bridge is an unmanaged bridge.

Improvements:

• There was a documentation change to remove the statement regarding VM support being considered experimental. This has been changed as VM support, while not being at full feature parity with containers, is considered stable for the features we do have.

• A guide has been added in the Network documentation section on setting up systemd-resolved on the LXD host to allow it to resolve .lxd domains via the LXD managed DNS server, in order to provide DNS resolution for instance names.

• As part of the work to add an interactive lxd recover command (see [LXD] New disaster recovery tool) the validation for Project names has been restricted to not allow underscores.

Bug fixes:

• When an instance is shutting down, if the instance’s state API endpoint was repeatedly polled during that time, it would occasionally return an error if called during the brief window where the instance was considered running but was in the process of cleaning up its host-side devices such that gathering the NIC MTU failed. This has been fixed to return -1 for MTU in that situation.

• An issue that was causing duplicate persistent warnings has been fixed via a DB patch.

• When copying an instance to a remote server if the copy failed on the remote side the LXC client would retry on the remote servers other IPs (if available) and this, as well as being unnecessary if the initial connection succeeded, was also causing problems with operations pausing and not completing. The client now only retries with a different address if the initial connection fails.

• An issue that prevented changing the security.nesting setting on an instance that had never been started due to a missing AppArmor profile has been fixed.

LXC

Support for the LISTEN_FDS environment variable used by the OCI spec has been added, and a fix for cgroup v1 ordering in certain environments has been added.

Distrobuilder

Work has continued on making our images start with no failing services.

Dqlite (RAFT library)

A double free crash scenario has been fixed.

Youtube channel

We’ve started a Youtube channel with live streams covering LXD releases and its use in the wider ecosystem.

You may want to give it a watch and/or subscribe for more content in the coming weeks.

https://www.youtube.com/lxd-live

Contribute to LXD

Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors

Upcoming events

• Nothing to report this week

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

• Distrobuilder Windows support
• Virtual networks in LXD
• Various kernel work
• Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

• Update cluster certificates on all members through API
• Network: Add support for using bridged NIC IP filtering on unmanaged parent bridges
• lxd: update instructions for compilation from a release tarball
• lxd/init: show the new default value for password authentication
• Docs: Adds guide on how to get systemd to configure systemd-resolved on lxdbr0 start up
• Projects: Prevent the use of underscores in new project names
• Init: Introduce poolType constants
• Init: Use validate.Optional in askClustering
• Validate: Make IsOneOf only allow the specified values
• warnings: Offline cluster member
• Network: Return -1 for Mtu in State() for bridged and ovn NICs if host interface not available
• Handle newer unsquashfs
• doc: fix cluster.https_address’ description
• lxd/patches: Fix duplicate warnings
• forkexec: handle broken close_range() backport in openSUSE Leap 15.3
• lxc/warning: Hide location if not clustered
• AppArmor: Generate policy file when validating if needed
• docs: Removes statement about VMs being considered experimental
• Network: Surface bridge dnsmasq specific start up errors via log entry
• client: Only retry target addresses if initial connection fails

LXC

• string utils: Make sure don’t return uninitialized memory.
• Add support for LISTEN_FDS environment variable.
• [DO NOT MERGE]
• remove problematic terminology
• cgroups: use stable ordering for co-mounted v1 controllers

LXCFS

• cgroup_fuse: replace potentially problematic terminology

Distrobuilder

• sources: s/docker/docker-http/
• systemd: Mask systemd-pstore.service
• sources/centos: Support CentOS 8 on armhf
• sources/oracle: Fix ISO paths and support aarch64
• main: Mask ua-messaging.service
• sources: Remove duplicate code

Dqlite (RAFT library)

• terminology: Replace possibly offensive terms
• uv_segment: Fix double-free errors
• uv_segment: Initialize buf

Dqlite (database)

• terminology: Replace possibly offensive terms

Dqlite (Go bindings)

• terminology: Replace possibly offensive terms

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week

Snap

• lxd: Add support for global configuration (/var/snap/lxd/common/config/)
• lxd: Moved user config (from ~/snap/lxd/current/.config/lxc to ~/snap/lxd/common/config)
• snapcraft: Updated the snap description
• scripts: Fixed all shellcheck warnings
• lxd-migrate: Fix for new user config path
• lxd: Cherry-pick upstream bugfixes
• xtables: Added workaround for ebtables/arptables