Weekly status #59

lxcfs
weekly
distrobuilder
lxc
lxd

(Stéphane Graber) #1


Weekly status for the week of the 30th of July to the 5th of August.

Introduction

A lot has happened this week, we started by switching dqlite implementation in LXD to the new one @freeekanayaka has been working on for the past few months.

This required changes to our CI, packaging and Makefile to handle it but the result is up to 10x database performance in some cases (mostly for clusters).

We followed that up with quite a few bugfixes, including better handling for host shutdown in clusters, spent a while figuring out how to handle file capabilities during remapping and added progress reporting to a few more lxc subcommands.

On the LXC side, we’ve been busy preparing for a security update, more details below and doing a number of other bugfixes.

@brauner also wrote a blog post about file capabilities on Linux and in containers.

LXC security issue (CVE-2018-6556)

A security fix for LXC was released earlier today, this affects:

  • LXC 2.0.9 and higher
  • LXC 3.0.0 and higher

Description of the issue:

lxc-user-nic (setuid) when asked to delete a network interface will
unconditionally open a user provided path.

This code path may be used by an unprivileged user to check for
the existence of a path which they wouldn’t otherwise be able to reach.

It may also be used to trigger side effects by causing a (read-only) open
of special kernel files (ptmx, proc, sys).

This was reported to us by Matthias Gerstner from SUSE and @brauner on the LXC team took care of finding a workable solution and
preparing the needed updates.

Fixes:

Linux distributions were privately notified with about a week notice and
so should have security updates ready for this already, or will shortly.

We will not be issuing emergency release tarballs for this issue so if
you’re maintaining your own build, you should be cherry-picking one of
the fixes above. We do however intend to release LXC 3.0.2 very shortly
which will include this fix among other traditional bugfixes.

References:

Upcoming conferences and events

  • Open Source Summit North America - Vancouver, BC (August 29-31)
  • Linux Plumbers Conference - Vancouver, BC (November 13-15)

Getting started with LXD workshop in Vancouver

@brauner and @stgraber will be giving a “Getting started with LXD” workshop as part of the Open Source Summit North America conference in Vancouver, BC.

Details can be found here: http://sched.co/FANz

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

LXC

LXCFS

  • Nothing to report this week

Distrobuilder

  • Nothing to report this week

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

  • Nothing to report this week

Snap

  • Fixed a number of issues related to core snap updates
  • Updated to new dqlite API
  • Added basic support for overriding LXD_DIR
  • Fixed timezone handling

(Stéphane Graber) #2