Weekly status #265


Weekly status for the week of the 5th September to the 11th September.

Introduction

This past week has seen two of our LXD roadmap items merged; local object storage support using MinIO and restricted.network.access feature in restricted projects. There were also performance improvements for macvlan NICs in VMs and some more improvements to DB query efficiency.

In addition @stgraber has continued his storage themed videos this week by looking at custom storage volumes in LXD:

LXD

New features:

  • Local S3 object storage support using MinIO: Following on from the recently added S3 object storage support using Ceph Object Gateway we have now added support for local S3 object storage by leveraging MinIO. For more detail please see About storage pools, volumes and buckets - LXD documentation and [LXD] Object storage (S3 API).
  • Restricted networks access for projects: A new setting has been added for restricted projects (those that have restricted=true set) called restricted.networks.access. This new setting is a comma-delimited list of network names from the default project that are allowed to be referenced by LXD entities belonging to the restricted project. This setting also controls which networks can been seen in the LXD API when accessed using a restricted project’s context. Additionally the existing restricted.devices.nic setting is now also used to control which networks can be accessed from within the restricted project. If set to block then no networks can be accessed. If set to managed (which is the default if not specified) then only managed networks can be accessed. If set to allow then all networks can be accessed. For managed and allow the list of networks that can be accessed is then filtered if restricted.networks.access is set.

Improvements:

  • Added multi-queue and vhost-net offloading support to macvlan NICs for virtual machines.
  • Added profile info to backup index file.
  • Removes some functions that loaded storage volume record info inefficiently and replaced with more efficient function usage.
  • DB generator improvements to make it more flexible and clearer to use. Also added context support.

Bug fixes:

  • Fixed an issue to handle linux32 and linux64 arch personalities in lxc-to-lxd command.
  • Updated AppArmor profile to allow read/write access to /sys/fs/bpf.
  • Fixed an issue with extended attribute access when overlay does not filter response.
  • Made dnsmasq start up failures for bridge networks be considered a network start failure. This will cause a warning to be logged in lxc warning list as well as enable automatic retrying to start the network.
  • Fixed a panic in lxc alias add when no existing client config file exists.
  • Updated nftables firewall driver to pass rule config via STDIN to the nft command rather than via command arguments so that we don’t hit the argument length limit when using larger rulesets.
  • Fixed an issue that was causing the Cached property of an image record to be lost when initializing an image from an existing image in a different project.

Distrobuilder

Improvements:

  • Added support for OpenWrt 22.03.

Dqlite (database)

Bug fixes:

  • Fixed an issue that caused the Handover method of App, to continue looping over other servers after successfully transferring leadership to another server.
  • Dqlite shell fixes.

YouTube videos

The LXD team is running a YouTube channel with live streams covering LXD releases and weekly videos on different aspects of LXD. You may want to give it a watch and/or subscribe for more content in the coming weeks.

Contribute to LXD

Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors

Upcoming events

  • Nothing planned currently.

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

LXC

  • Nothing to report this week

LXCFS

  • Nothing to report this week

Distrobuilder

Dqlite (RAFT library)

  • Nothing to report this week

Dqlite (database)

Dqlite (Go bindings)

LXD Charm

  • Nothing to report this week

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

  • Nothing to report this week

Snap

  • Nothing to report this week
1 Like

Is there any examples of how to use restricted.networks.access?

I have container with routed network with public ipv4 and rootless docker inside. I have created only one network interface (eth0) during container creation, but docker inside creates multiple networks inside.

lxc list shows all network ineterfaces in table, which is definitly unwanted in this case. Does restricted.networks.access help to hide interfaces which is not managed by LXD in this case?

The restricted.networks.access setting controls which LXD host side networks are visible/usable in lxc network list and as parent networks for instance NIC devices.

It doesn’t control what network interfaces can be created inside the instances, and lxc list will show all of those.