Weekly status for the weeks of the 11th to the 17th of February.
Introduction
A lot of this past week was spent on better handling the privileged containers CVE in liblxc, trying to find the right balance between mitigating the most critical cases while not breaking our downstream users. A number of security improvements on our various code-bases have also been done, simplifying the way we do memory management and argument parsing.
On the LXD side, we’ve been fixing a number of bugs and did some refactoring of our network handling code, fixed some occasional LVM failures, improved handling of Candid based authentication and some more fixes for scheduled snapshots.
And lastly, our work on porting images to distrobuilder has been continuing with ArchLinux for ARM getting added as well as Gentoo and Sabayon. We’ll be looking at Oracle Linux and Fedora next.
Note that you can look at our production YAML definitions here:
https://github.com/lxc/lxc-ci/tree/master/images
Upcoming conferences and events
- GTC 2019 - San Jose, CA (March 17-21)
Ongoing projects
The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.
- Rework of internal LXD storage handling
- Dqlite 1.0
- Switching distribution building over to distrobuilder
- Various kernel work
- Stable release work for LXC, LXCFS and LXD
Upstream changes
The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.
LXD
- Fixed and improved some of our network handling logic
- Fixed a goroutine leak in ExecContainer
- Added ArchLinux/s name for armv7
- Improved cmdline parsing in C loader
- Fixed an occasional LVM issue caused by pre-existing signatures
- Improved handling of candid domains and cookies
- Reworked disk space tracking for CEPH
- Updated our container handler to turn on advanced mitigation for CVE-2019-5736 when needed
- Tweaked the output of
lxc remote list
- Fixed occasional duplicate scheduled snapshots
- Fixed backup import failures on LVM
- Made it possible to set snapshot expiry on create
LXC
- Made re-execution opt-in for library callers
- Fix error handling in apparmor config file opening
- Improved apparmor testing on apparmor python script
- Simplified re-execution logic by removing needless /proc/cmdline parsing
- Improved cmdline and environ parsing in re-exec logic
- Fixed some logging issues
- Properly fixed over-mounting through new mount API
- Switched some functions to cleanup macros
- Added support for older kernel in re-exec
- Renamed steal_{fd,ptr} to move_{fd,ptr}
- Added sendfile fallback for fd-to_fd
LXCFS
- Nothing to report this week
Distrobuilder
- Added support for ArchLinux ARM
- Fixed the Debian cloud-init example
- Added support for architecture specific package sets
Distribution work
This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.
Ubuntu
- Nothing to report this week
Snap
- Cherry-picked some LXC and LXD bugfixes