Weekly status #95

lxc
distrobuilder
weekly
lxcfs
lxd

(Stéphane Graber) #1


Weekly status for the weeks of the 22nd to the 28th of April.

Introduction

This past week saw the completion of our integration work between LXD and Canonical’s RBAC (Role Based Access Control) service.

We also started the integration work between LXD and LXC’s new seccomp notifier so we can selectively intercept and process select system calls in LXD.

The cluster API also got a small extension to allow for direct copy of containers within a cluster without the need to externally initiate a migration. This will make many container copies faster on clusters.

On the LXC side, some work is happening to add more networking options, this led to a number of bugfixes and improvements to the existing networking code, including fixing some of the networking hooks and adding support for routes to containers.

The main focus now is on finishing a few remaining features and performance improvements ahead of LXD 3.13 next week.

Ongoing projects

The list below is feature or refactoring work which will span several weeks/months and can’t be tied directly to a single Github issue or pull request.

  • Rework of internal LXD storage handling
  • Syscall interception in LXC/LXD
  • Dqlite 1.0
  • Various kernel work
  • Stable release work for LXC, LXCFS and LXD

Upstream changes

The items listed below are highlights of the work which happened upstream over the past week and which will be included in the next release.

LXD

LXC

LXCFS

Distrobuilder

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXC, LXD and LXCFS as well as work to get various software to work properly inside containers.

Ubuntu

  • Nothing to report this week

Snap

  • Added xfs_repair to the snap

(Stéphane Graber) pinned globally #2

(Turtle0x1) #3

hey i cant quite work it out from the PR is the RBAC sever built in ? if not is there a service you are targeting use with ?

Edit incase anybody else is wondering its targeting Canonicals sever here


(Stéphane Graber) #4

Right, RBAC in this context is Canonical’s RBAC server which is a self-hosted server that comes as part of an Ubuntu Advantage service subscription.

Without that service, you can still:

  • Setup Candid to integrate with your existing authentication provider
  • Have LXD use Candid, providing full access to anyone who’s authenticated with it

If you want to then restrict specific group of users in your company directory to specific actions on specific LXD projects, then you’d want that RBAC service.

The RBAC service connects to Candid and lets an Administrator see all users and groups in Candid, add services like LXD, MAAS, … and see resource pools in those services (projects in the case of LXD). The administrator can then allow specific user or groups, specific access to specific projects on specific LXD hosts or clusters.

In all this, LXD only uses RBAC as a Candid proxy and uses RBAC’s REST API to grab user permissions to particular projects.