Introduction

The LXD team is very excited to announce the release of LXD 3.7!

We started off this release cycle by fixing a number of issues and edge cases surrounding our recently introduced projects feature as more and more of our users started making use of it.

But that’s not to say that we’ve spent the entire past month fixing bugs and LXD 3.7 also debuts support for container refreshes, got a few tweaks to our TLS setup, improved exec operations and an extra VXLAN configuration key.

On top of the project fixes, we’ve also done a number of improvements to our database, logging and fixed quite a few other bugs.

New features

Container refresh

It is now possible to tell LXD to refresh a container based on another container, either locally or remotely. On the command line, this is controlled by a new --refresh argument to lxc copy .

This can be used to setup a backup LXD server that will then get regular updates from production servers, keeping the containers and their snapshots in sync until such time as they need to be restore or just started from the backup server.

The initial copy uses our usual migration code, subsequent refreshes will then compare the list of snapshots, delete any snapshot which was removed from the source or which appears to have been changed and then sync the missing snapshots and container state using rsync.

Switch default key type to EC384

LXD has always used RSA4096 has the algorithm and key strength of choice for its private keys. This has unfortunately cause a number of issues on some CPU architectures where RSA can get very very slow.

The switch to using an elliptic-curve key by default fixes that issue by considerably reducing the generation time without compromising on private key security.

Note that this is only used for newly generated keys, existing users will keep using their RSA private keys. It’s also worth noting that LXD will happily let you generate your own private key and certificate and just put them into place on the filesystem for it to use.

New environment variable to control cipher selection

While all our own image servers and internal communications support modern ciphers, it’s been brought to our attention that some corporate environments will intercept TLS traffic through their proxy and using a company CA, terminate the TLS connection on the proxy to inspect the traffic.

This would work fine so long as the company CA is trusted on the system and LXD is configured to use the company proxy. Unfortunately, it appears that many such proxies also do not support the modern ciphers that LXD requires, effectively causing all outgoing TLS connections to fail.

For those environments, we have now added a new LXD_INSECURE_TLS environment variable which is respected by both lxd and lxc and that will instruct LXD to relax the ciphers requirements, using the default TLS settings from Go rather than using our restricted set of trusted ciphers.

Added metadata to exec operations

Ever wondered what that exec session is about in lxc operation list ?

Well, now LXD lets you find that out by looking at some extra metadata that’s recorded as part of the exec operation.

stgraber@castiana:~$ lxc exec xenial -- sleep 30 & [1] 25911 stgraber@castiana:~$ lxc operation list +--------------------------------------+-----------+-------------------+---------+------------+----------------------+ | ID | TYPE | DESCRIPTION | STATUS | CANCELABLE | CREATED | +--------------------------------------+-----------+-------------------+---------+------------+----------------------+ | 274ab284-ed07-4834-b3f5-6ec1d7cf3b74 | WEBSOCKET | Executing command | RUNNING | NO | 2018/11/09 04:20 UTC | +--------------------------------------+-----------+-------------------+---------+------------+----------------------+ stgraber@castiana:~$ lxc operation show 274ab284-ed07-4834-b3f5-6ec1d7cf3b74 id: 274ab284-ed07-4834-b3f5-6ec1d7cf3b74 class: websocket description: Executing command created_at: 2018-11-08T23:20:30.323852365-05:00 updated_at: 2018-11-08T23:20:30.323852365-05:00 status: Running status_code: 103 resources: containers: - /1.0/containers/xenial metadata: command: - bash environment: HOME: /root LANG: C.UTF-8 PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin TERM: xterm USER: root fds: "0": d79593f74c3e566987a3bdb109d2f4102aea5915ad344f64ea665082c1a3177e control: 0ed5ba645a9f6f0b2956282bba274ce015407a6309e1a9ec1a897fab0483d6fe interactive: true may_cancel: false err: ""

This records the command that was executed, its environment and whether it was run interactively or not.

New VXLAN TTL configuration key

A new tunnel.NAME.ttl key has been added to LXD managed bridges.

This lets you configure the TTL to use for multicast VXLAN tunnels (default is 1).

Bugs fixed

backup: Allow backups to not expire

client: Always use the “do()” wrapper

client: Fix cancelation of image download

client: Fix error handling in operations

client: Fix URLs with missing project/target

doc: Add the appropriate titles to some documents

doc: Bump to 1.10 or higher everywhere

doc: Update build instruction

doc: Update cloud-init network documentation

i18n: Update translations from weblate

i18n: Update translation templates

lxc: Switch all progress op handling to cancelable

lxc/copy: --container-only is meaningless for snapshots

lxd: Register background tasks as operations

lxd: Remove expired container backups

lxd: Rework task handling

lxd/backups: Set default expiry for backups

lxd/checkfeature: Check for vfs3 fscaps support

lxd/checkfeature: Don’t log error on missing feature

lxd/containers: Add ContainerListExpanded to load containers and expand their configs/devices

lxd/containers: Associate a container with the profile from its own project

lxd/containers: Consider the container’s project when loading profiles

lxd/containers: Detect root disk pool changes

lxd/containers: Expand container devices and configs from the associated project

lxd/containers: Fix bad check for recursive mounts

lxd/containers: Fix cluster shutdown

lxd/containers: Fix lxc exec when using a container inside a project

lxd/containers: Fix missing project in args

lxd/containers: Improve error messages

lxd/containers: Make containers on other nodes visible also in the non-default project

lxd/containers: Prefix the container name with the project name when invoking forkconsole

lxd/containers: Prevent duplicate profiles

lxd/containers: Use liblxc mount injection api

lxd/daemon: Clarify early loggging

lxd/daemon: Don’t expire lxd.log by accident

lxd/daemon: Don’t mention MAAS unless configured

lxd/daemon: Improve logging of inherited fds

lxd/daemon: Improve logging of kernel features

lxd/db: Add logic to the db package to expand devices

lxd/db: Add logic to the db package to load and expand profiles

lxd/db: Detect and shrink large boltdb files

lxd/db: Fix bad limits.cpu in test

lxd/db: Fix listing container backups

lxd/db: Increase database timeout when creating indexes in db update 12

lxd/db: Increase go-dqlite client timeout when not-clustered

lxd/db: Make the db mapper code generator handle compound natural keys

lxd/db: Sanitize references to containers table

lxd/db: Send raft/dqlite logging to debug

lxd/db: Speed up execution of update from v11 of the db

lxd/db: Wire expand config logic fromt the db package

lxd/db: Wire expand devices logic fromt the db package

lxd/events: Prevent event listeners from lying around even after Disconnect()

lxd/images: Auto-update images also in projects other than the default one

lxd/images: Avoid downloading an image twice if it’s already in another project

lxd/images: Link an image to a project when downloading it to init a container

lxd/images: Support creating project-bound container using an image on another node

lxd/main_forkmount: Use pkg-config

lxd/main_forknet: Simplify getifaddrs

lxd/migration: Use current idmap instead of next

lxd/networks: Include containers from all projects in the UsedBy field of a network

lxd/patches: Add missing transition for symlinks

lxd/profiles: Fix project-aware URIs in the UsedBy field of api.Profile

lxd/projects: Fix clustered exec/console

lxd/projects: Fix profile updates

lxd/projects: Propagate events about all projects to all cluster nodes

lxd/projects: Re-create the project default profile when turning on the project profiles feature

lxd/storage: Add StorageVolumeIsAvailable to check if a Ceph volume can be attached

lxd/storage: Destroy the correct ZFS volume when deleting a container in a project

lxd/storage: Fix importing preseed dump

lxd/storage: Improve loop device errors

lxd/storage: Make custom volumes visible from non-default projects

lxd/storage: Retry loop device allocation on EBUSY

lxd/storage: Wire StorageVolumeIsAvailable to containerValidDevices

rsync: Tweak transfer options (introduce delete & compress)

scripts: Add ‘project’ to bash completion

shared: Add limits.cpu validator

shared/idmap: Use global variable for vfs3 fcaps support

shared/logging: Improve logfile output

shared/network: Allow TLS1.3

tests: Add integration test for CEPH cross-node volumes

tests: Small unrelated cleanup in projects integration test

travis: Bump Go versions and use ‘.x’ to always get latest patch versions

Try it for yourself

This new LXD release is already available for you to try on our demo service.

Downloads

The release tarballs can be found on our download page.