Weekly status for the week of the 15th to 21st of November.

Introduction

Last week LXD gained support for restricting which host paths can be used as the source of a disk device when used inside a restricted project. And go-dqlite had TLS session cache support added. On top of that the LXD charm got an OVN bundle which can be used to setup a cluster of 5 machines each running a LXD instance and an OVN dedicated chassis.

LXD

The bulk of the work last week was on adding support for the new restricted.devices.disk.paths setting, which also required adding a new forkusernsexec C program to run the disk proxy processes in their own user namespaces for ensuring the security of the restricted.devices.disk.paths setting in VMs.

@stgraber has also added a new video covering clustered OVN networking in LXD:

New features:

• Added support for moving instances and custom volumes between projects.
• Added new restricted.devices.disk.paths project setting that restricts the allowed source path prefixes for instance disk devices. When an instance uses a disk device whose source is underneath one of these restricted prefixes, LXD will use the openat2 syscall protections to ensure that the file handle opened to the source path for mounting does not resolve to a path above the allowed restricted parent prefix. Additionally the shift property of the disk device cannot be used in this scenario, which is to prevent an unprivileged container from creating a malicious program owned by root in shared disk’s source path and then setting the setuid bit on the program file so that it can then be run as root on the host outside of the container later.
• Also related to the above restricted.devices.disk.paths feature, we added a new forkusernsexec C program which will run a specified external command in its own user namespace. We then updated the VM disk share proxy processes to have their external sockets passed to them as file descriptors, which lays the ground work for these processes to be run in their own user namespace via forkusernsexec. This will then ensure that equivalent of shift mode is disabled for restricted VM disk shares (for the same reason we disallow it for containers above).

Improvements:

• Make the querying for if a project supports snapshots more efficient.

Bug fixes:

• Ensures that restricted projects must have their own profiles to avoid restrictions being bypassed when inheriting settings from the default project.
• Ensure that O_NOCTTY is raised when opening terminals.

Distrobuilder:

New features:

• Use (and prefer) new cloud-init config keys (cloud-init.network-config, cloud-init.user-data, and cloud-init.vendor-data) for any cloud-init configuration. The old config keys (user.network-config, user.user-data, and user.vendor-data) are still available and will not be removed. They will serve a fallback keys if the new keys aren’t used.

Improvements:

• Added timeout support via contexts.

Dqlite (RAFT library):

Bug fixes:

• Pre vote bugfixes.

Dqlite (Go bindings):

Improvements:

• Added support for TLS client session cache.

LXD Charm:

Improvements:

• Interface with ovn-central and vault.

Youtube channel

We’ve started a Youtube channel with live streams covering LXD releases and its use in the wider ecosystem.

You may want to give it a watch and/or subscribe for more content in the coming weeks.

Contribute to LXD

Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors

Upcoming events

• Nothing to report this week

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

• Distrobuilder Windows support
• Virtual networks in LXD
• Various kernel work
• Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

• Project: Adds restricted.devices.disk.paths setting
• Support for moving instances and custom volumes between projects
• Device: Switch to using string slice for mount option handling
• lxd: add forkusernsexec()
• tests: Split cluster and standalone
• VM: Use socket file descriptors for virtfs-proxy-helper and virtiofsd
• Project: Separate checking if a project can support snapshots from the project DB lookup
• VM: Close unnecessary file handles for VM disk proxy processes
• forkusernsexec: close file descriptors before exec
• util_linux: ensure that O_NOCTTY is raised when opening terminals
• Project: Validation cleanup
• forkusernsexec: fixes
• Move to cron/v3

LXC

• Nothing to report this week

LXCFS

• Nothing to report this week

Distrobuilder

• generators: Use new cloud-init config keys
• Add context

Dqlite (RAFT library)

• README: Update Build & Install sections
• Pre vote bugfixes

Dqlite (database)

• README: Update Install section

Dqlite (Go bindings)

• tls: Add ClientSessionCache
• README: Update ppa info
• Tests: Replace RSA cert by ECDSA cert

LXD Charm

• Interface with ovn-central and vault

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week

Snap

• Nothing to report this week