Weekly Update Templates.png960×540 47.5 KB

Introduction

This week we released LXD 3.10 which should now be rolling out to users.

This release got delayed a bit and happened at the end of the week so we could fit in a few last minute bugfixes and minor improvements.

On the LXC side, we’ve kept working on improving code quality and hardening.
alloca() was eradicated from the code base, we’ve started making use of cleanup macros, tweaked our compiler flags some more and added some initial coccinelle scripts.

And lastly, ArchLinux has now been moved over to distrobuilder for image building and we’re making good progress towards moving Gentoo and Sabayon next.
As always, switching to distrobuilder comes with more images being made available for more architectures.

CVE-2019-5736

We also dealt with CVE-2019-5736 in liblxc and wrote about its affect on LXD users. The short version of this is that users of unprivileged containers (default) are perfectly safe, users of privileged containers may be at risk in some specific environments. This does not include snap users which are all safe thanks to the snap package being read-only.

This issue has been fixed in all maintained branches of LXC (2.0, 3.0 and master).
In line with our security policy, this issue isn’t treated as critical for LXC due to only affecting privileged containers which are already deemed to not be root safe.
This means that we will not be issuing emergency security releases for this and the workaround for this issue will be included in our next regular bugfix releases.

Upcoming conferences and events

• GTC 2019 - San Jose, CA (March 17-21)

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

• Rework of internal LXD storage handling
• Dqlite 1.0
• Switching distribution building over to distrobuilder
• Various kernel work
• Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

• Added progress information for import and export operations
• Added support for overriding storage pool during backup import
• Tweaked structure of progress metadata
• Fixed some bad tests hiding return values
• Fixed some CEPH rbd unmap issues
• Optimized image packing by doing tar and compress in a combined stream
• Fixed hangs on migration failure
• Fixed lxc profile list to have consistent yaml/json output
• Added Gentoo armhf variant to architecture list
• Fixed empty return value for GetCertificateFingerprints in Go client
• Fixed snapshot expiry for scheduled snapshots
• Updated database tests for current go-sqlite3

LXC

• Wiped alloca() from the codebase
• Fixed RPM packaging for bash completion
• Hardened our compiler flags
• Added LGTM to README
• Partially switched cgroups handling to cleanup macros
• Added uid/euid checks in caps handling
• Added initial coccinelle support
• Fixed some recent regressions
• Fixed regression in cgroups creation
• Added handling for \r in list parsing
• Added a copy of fexecve() for Android’s Bionic
• Fixed some licensing headers
• Fixed some more licensing headers

LXCFS

• Added logic to skip mounting lxcfs cgroup tree on CentOS 7 hosts

Distrobuilder

• Tweaked ArchLinux source to get latest release by default

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week

Snap

• Bumped compiler to Go 1.11.5
• Updated to LXD 3.10
• Cherry-picked bugfixes