Weekly Update Templates960×540 53.6 KB

Introduction

This past week we have added UEFI Compatibility Support Module (CSM) support for LXD VMs. This allows for booting non-UEFI legacy operating systems.

There was also a continuation of the documentation improvements for LXD, this time focusing on restructuring the Manage LXD and Internals sections. As well as the usual round of bug fixes and improvements.

Additionally @stgraber has added a video covering LXD backup and disaster recovery:
https://www.youtube.com/watch?v=IFOZpAxckPo

Job openings

Canonical Ltd. strengthens its investment into LXD and is looking at building multiple squads under the technical leadership of @stgraber.

As such, we are looking for first line managers (highly technical) and individual contributors to grow the team and pursue our efforts around scalability and clustering.

All positions are 100% remote with some travel for internal events and conferences.

For more info please see LXD related openings at Canonical Ltd (2022-2023)

LXD

New features:

• Added support for UEFI CSM to allow running of legacy VM operating systems. This is controlled by the security.csm instance setting.

Improvements:

• The output of instance exec record-output mode is now stored in the instance’s storage volume rather than in the root filesystem. This means that it now falls under the instance’s root disk quota, whereas before it was in theory possible to consume all root filesystem space.
• Added auth_user_name and auth_user_method to the output of the /1.0 API endpoint. This was added for the LXD UI in order to ascertain whether to show a Logout button or not.

Bug fixes:

• Fixed issue with concurrent VM create from same image AppArmor issue when using non-optimized storage pools. Now each invocation of qemu-img that is used to unpack VM images is wrapped with a unique AppArmor profile which avoids permissions issues preventing unpack.
• Fixed bug regarding SRIOV representor port lookup with ovn NICs when using the acceleration mode.
• Fixed issue with lxc warning acknowledge not returning an error if the warning UUID didn’t exist.
• Fixed issue with VM NICs causing high CPU usage on the host when using the vhost-net CPU offloading feature. This was addressed by modifying the settings applied to the LXD configured TAP device to match what QEMU expects before it was passed to QEMU.
• Fixed GPU device selection filtering. This allows adding physical GPU devices to containers by setting the DRM ID with the id setting. Before a new device /dev/nvidia[0123...] was added for each graphics card regardless of what was configured with id.
• Fixed issue with VM refresh since the improved configuration validation was added. This highlighted a bug in lxc command that was always trying to set volatile.idmap.next on refresh, even though this setting isn’t valid for VMs.
• Added workaround for an OVN bug that prevents communication with the uplink network when using OVN with IPv6 geneve tunnels in a cluster. LXD will now attempt to ping both IPv4 and IPv6 OVN virtual router external addresses on start up in order to get OVN to record the uplink gateway’s MAC address. The Canonical OVN team are investigating the actual OVN issue to see what is happening.
• Fixed issue with the zfs storage driver where if atime=off was set/inherited on the instance dataset this was not manifesting itself as noatime on the root filesystem mount. We have also added support for relatime=off atime=on which will manifest itself as strictatime on the root filesystem mount.
• Fixed AppArmor issue when using snap package and lxc export with squashfs.
• Fixed rename of global lxc remotes.

YouTube videos

The LXD team is running a YouTube channel with live streams covering LXD releases and weekly videos on different aspects of LXD. You may want to give it a watch and/or subscribe for more content in the coming weeks.

https://www.youtube.com/lxd-videos

Contribute to LXD

Ever wanted to contribute to LXD but not sure where to start?
We’ve recently gone through some effort to properly tag issues suitable for new contributors on Github: Easy issues for new contributors

Upcoming events

• Nothing to report this week

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

• Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

• doc: restructure the Manage LXD and Internals sections
• lxd/storage: Use a unique apparmor profile for qemu-img unpacking
• Fix SRIOV representor port lookup
• doc: Update max value of net.core.bpf_jit_limit
• lxd: Check if warning exists before acknowledging it
• lxd/instance: Fix exec record-output location
• VM: Fix addNetDevConfig to match the tap interface settings that QEMU uses
• lxc/utils: Change sort ByName interface name to SortColumnsNaturally
• Instance: Fix VM image unpack apparmor regression
• Shared CLI package
• Allow the consistent selection of a GPU device by DRM ID
• lxc/copy: Don’t try and modify volatile.idmap.next on refresh if not set in source
• doc/devices/nic: ovn NICs support hotplugging for VMs now
• Network: Ping OVN virtual router external addresses when using physical uplink network
• lxd/instance_logs: Cleanup function call
• Introduce auth_user_name and auth_user_method in /1.0
• Add CSM support
• lxd/storage/zfs: Fix ZFS does not respect atime=off option
• lxd/db: return an error in UpdateWarningState is the warning is not found
• lxd/endpoints: make sure to not access passed the end of the slice
• lxd/apparmor/archive: Fix snap handling
• lxc/remote: Fix rename of global remotes

LXC

• Nothing to report this week

LXCFS

• Nothing to report this week

Distrobuilder

• Nothing to report this week

LXD Charm

• Nothing to report this week

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week

Snap

• Nothing to report this week

Thanks for all your great and hard work!

Two questions:

1. When/what version will UEFI CSM be available in latest/stable ?
2. Will it just be a simple matter of setting security.csm: true in the instance’s config or will more be required, e.g. specifying the custom BIOS location, or installing something like SeaBIOS?

It will be in LXD 5.15.
Yes enabling security.csm and disabling security.secureboot is required.

Thanks for your quick and informative response. Hope you have a great day.