Linux Containers - LXD - ニュース

14th of March 2022

はじめに ¶

LXD チームは LXD 4.24 のリリースをお知らせできることにとてもワクワクしています!

今回のリリースが 4.x シリーズの最後のリリースとなり、次のリリースは LXD 5.0 LTS になります。

Enjoy!

新機能とハイライト ¶

`lxc file mount` と新しいファイル API ¶

LXD は完全に新しいファイル API を提供するようになりました。これは、内部的には SFTP プロトコルのネイティブな Go 実装をベースにしており、GET /1.0/instances/NAME/sftp を通して直接利用できます。そして、既存のファイル API を扱うために改修しました。

この結果、特にファイル操作が並列ないしは連続で行われた時のファイル操作が大幅に速くなりました。リクエストごとにサブプロセスを起動したり、アクセス・取得するファイルを持ち運んだりする必要がないので、メモリ使用量が大幅に削減されます。

新しい API は sshfs とのインテグレーションも可能です。これにより、新しいlxc file mountコマンドが提供され、クライアント上のローカルパスに任意のインスタンスをマウントできるようになりました。

stgraber@dakara:~$ mkdir netbox01
stgraber@dakara:~$ lxc file mount s-dcmtl-cluster:netbox01/ netbox01/
sshfs mounting "netbox01/" on "netbox01"
Press ctrl+c to finish

stgraber@dakara:~$ ls -lh netbox01/
total 76K
lrwxrwxrwx 1 root   root       7 Mar  9 02:45 bin -> usr/bin
drwxr-xr-x 1 root   root    4.0K Apr 15  2020 boot
drwxr-xr-x 1 root   root     500 Mar 10 14:53 dev
drwxr-xr-x 1 root   root    4.0K Mar 10 12:17 etc
drwxr-xr-x 1 root   root    4.0K Mar  9 18:31 home
lrwxrwxrwx 1 root   root       7 Mar  9 02:45 lib -> usr/lib
lrwxrwxrwx 1 root   root       9 Mar  9 02:45 lib32 -> usr/lib32
lrwxrwxrwx 1 root   root       9 Mar  9 02:45 lib64 -> usr/lib64
lrwxrwxrwx 1 root   root      10 Mar  9 02:45 libx32 -> usr/libx32
drwxr-xr-x 1 root   root    4.0K Mar  9 02:45 media
drwxr-xr-x 1 root   root    4.0K Mar  9 02:45 mnt
drwxr-xr-x 1 root   root    4.0K Mar  9 19:09 opt
dr-xr-xr-x 1 nobody nogroup    0 Mar 10 14:53 proc
drwx------ 1 root   root    4.0K Mar 10 17:19 root
drwxr-xr-x 1 root   root     400 Mar 10 14:53 run
lrwxrwxrwx 1 root   root       8 Mar  9 02:45 sbin -> usr/sbin
drwxr-xr-x 1 root   root    4.0K Mar  9 02:45 srv
dr-xr-xr-x 1 nobody nogroup    0 Mar 10 14:53 sys
drwxrwxrwt 1 root   root    4.0K Mar 13 22:30 tmp
drwxr-xr-x 1 root   root    4.0K Mar  9 02:45 usr
drwxr-xr-x 1 root   root    4.0K Mar  9 02:46 var

クラスターの event-hub ロール ¶

LXDは、イベント API を使って運用の進捗状況を追跡し、クラスター全体のインスタンスのライフサイクルをモニタリングする簡単な方法を提供します。

デフォルトでは、各 LXD サーバーがすべての他のサーバーに接続されてすべてのイベントを受信し、すべてのローカルイベントを他の全サーバーにブロードキャストするフルメッシュとして動作します。

大規模クラスターを扱う場合、これはかなりの数の接続とネットワークトラフィックにつながる可能性があります。これを改良するために、新たに event-hub ロールを導入しました。このロールは、少なくとも 2 つのクラスタメンバーに割り当てることができます。設定した場合、イベントの処理はデフォルトの full-mesh モードから、新しい hub モードに切り替わります。

stgraber@dakara:~$ lxc cluster list
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
|   NAME   |                 URL                 |      ROLES       | ARCHITECTURE | FAILURE DOMAIN |        DESCRIPTION        | STATE  |      MESSAGE      |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| asuras   | https://[2602:fc62:b:100::200]:8443 |                  | aarch64      | apm-chassis01  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| athos    | https://[2602:fc62:b:100::204]:8443 | database-standby | x86_64       | athos          | Intel Xeon E5-2695v2 (2x) | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| celestis | https://[2602:fc62:b:100::206]:8443 |                  | aarch64      | celestis       | LibreComputer Potato      | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| delmak   | https://[2602:fc62:b:100::205]:8443 | database         | aarch64      | delmak         | Qualcomm Centriq 2400     | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| entak    | https://[2602:fc62:b:100::201]:8443 | database         | aarch64      | apm-chassis01  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| madrona  | https://[2602:fc62:b:100::202]:8443 | database-leader  | aarch64      | apm-chassis02  | APM X-Gene 2              | ONLINE | Fully operational |
|          |                                     | database         |              |                |                           |        |                   |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| vorash   | https://[2602:fc62:b:100::203]:8443 | database-standby | aarch64      | apm-chassis02  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
stgraber@dakara:~$ lxc info | grep server_event_mode
  server_event_mode: full-mesh
stgraber@dakara:~$ lxc cluster edit athos
stgraber@dakara:~$ lxc info | grep server_event_mode
  server_event_mode: full-mesh
stgraber@dakara:~$ lxc cluster edit delmak
stgraber@dakara:~$ lxc info | grep server_event_mode
  server_event_mode: hub-client
stgraber@dakara:~$ lxc cluster list
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
|   NAME   |                 URL                 |      ROLES       | ARCHITECTURE | FAILURE DOMAIN |        DESCRIPTION        | STATE  |      MESSAGE      |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| asuras   | https://[2602:fc62:b:100::200]:8443 |                  | aarch64      | apm-chassis01  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| athos    | https://[2602:fc62:b:100::204]:8443 | event-hub        | x86_64       | athos          | Intel Xeon E5-2695v2 (2x) | ONLINE | Fully operational |
|          |                                     | database-standby |              |                |                           |        |                   |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| celestis | https://[2602:fc62:b:100::206]:8443 |                  | aarch64      | celestis       | LibreComputer Potato      | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| delmak   | https://[2602:fc62:b:100::205]:8443 | event-hub        | aarch64      | delmak         | Qualcomm Centriq 2400     | ONLINE | Fully operational |
|          |                                     | database         |              |                |                           |        |                   |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| entak    | https://[2602:fc62:b:100::201]:8443 | database         | aarch64      | apm-chassis01  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| madrona  | https://[2602:fc62:b:100::202]:8443 | database-leader  | aarch64      | apm-chassis02  | APM X-Gene 2              | ONLINE | Fully operational |
|          |                                     | database         |              |                |                           |        |                   |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
| vorash   | https://[2602:fc62:b:100::203]:8443 | database-standby | aarch64      | apm-chassis02  | APM X-Gene 2              | ONLINE | Fully operational |
+----------+-------------------------------------+------------------+--------------+----------------+---------------------------+--------+-------------------+
stgraber@dakara:~$

`lxc storage volume info` の再実装 ¶

lxc storage volume info は大幅に書き直され、以前のような限られた YAML 出力だけでなく、lxc info と同じような出力を提供するようになりました。

ストレージボリュームの詳細、タイプ、場所、ディスク使用量、関連するスナップショット、バックアップを表示するようになりました。

stgraber@dakara:~$ lxc storage volume info default foo
Name: foo
Type: custom
Content type: filesystem
Usage: 192.00KiB

Snapshots:
+-------+-------------+------------+
| NAME  | DESCRIPTION | EXPIRES AT |
+-------+-------------+------------+
| snap0 |             |            |
+-------+-------------+------------+

イメージ展開時の AppArmor プロファイル ¶

追加のセキュリティレイヤーとして、イメージの展開やバックアップをするたびに、LXD は一時的な AppArmor プロファイルを自動的に生成するようになりました。

これは tar や unquashfs や、それらが呼び出すあらゆる圧縮・解凍プログラムからの潜在的な攻撃から LXD システムを保護します。このプロファイルは、イメージ、バックアップとそのコンテンツの読み書きに必要なパスへのアクセスのみを許可します。

Grafana ダッシュボード ¶

LXD に Grafana ダッシュボードが同梱されるようになりました。

ダッシュボードの JSON は LXD のリリース tarball から直接取得するか、Grafana ウェブサイトから取得するのが便利でしょう。

grafana1|690x404

詳しくはこちらを参照してください: https://discuss.linuxcontainers.org/t/official-grafana-dashboard-for-lxd/13438

デグレードした状態での起動（ディスクが見えない場合）¶

LXD は 1 つ以上のストレージプールが欠けた状態でも起動するようになりました。
このシナリオでは、ストレージプールは保留状態になり、バックグラウンドで繰り返しリトライします。そのプールに依存するインスタンスとボリュームは、プールがオンラインに復帰するまで同様にブロックされます。

この機能はストレージプールが何かの理由で死んだ場合のリカバリーの仕組みや、1 つ以上のプールが外部メディア上にあり起動時に利用できないようなシナリオの両方で役に立つはずです。

しかし、LXD のアップグレード操作ではすべてのプールが存在している必要がある可能性が高いため、すべてのインスタンスやボリュームに対してアップグレードの移行手順を実行しなければいけない場合、ストレージプールが見つからないため、LXD は起動に失敗する可能性があることに注意してください。

`restricted.containers.interception` project option¶

新しいプロジェクトの制限オプションを導入しました。restricted.containers.interception で、現時点で次の2つを除くほとんどの security.syscalls.intercept オプションを使用できるようになります。

security.syscalls.intercept.mount.allowed
security.syscalls.intercept.mount.shift

このオプションを allow に設定することで、ユーザーはシステムコールインターセプションを有効にでき、Docker のような一部のワークロードを簡単に実行できるようになります。

このオプションを有効にすることは、ホストシステムに対するアタックサーフェスを増加させ、サービス拒否攻撃の格好の的になります。インターセプトしたシステムコールそれぞれにより、インスタンスのリクエストアクションを実行するために、ホスト上で一時的なタスクが生成されるためです。

ドキュメント : https://linuxcontainers.org/lxd/docs/master/projects/

`core.metrics_authentication` サーバーオプション ¶

LXD のメトリクス API を認証なしで使用できるようにするために、新しいサーバーオプションを導入しました。core.metrics_authentication が false に設定されると、core.metrics_address で設定されるアドレスで動作しているメトリクスサーバーはリクエスト元のクライアント証明書をチェックしなくなり、すべてのプロジェクトに対するメトリクスを返します。

これは適切な TLS ベースの認証ができない場合にのみ設定すべきです。そして、メトリクスエンドポイントにアクセスできるサーバーを制限するファイアウォールとあわせて使用すべきです。

仮想マシンのネットワークインターフェース名とMTU ¶

仮想マシンに対して、新しい設定オプションの agent.nic_config を導入しました。

このオプションを設定すると、VM 内で動作する LXD エージェントは、起動時にネットワークインターフェースの名前を変更し、LXD で設定したnameとmtuプロパティが VM のインターフェースに設定されるように再設定を行います。

これでコンテナでの動きに近い動作になります。しかし、VM イメージは一般的に enp5s0 という名前のネットワークインターフェースを想定しており、別の名前を使う場合はインスタンスのネットワーク設定を変更する必要がある可能性が高いことに注意が必要です。

VM ストレージで I/O uring のサポート ¶

LXD 仮想マシンは、ホストでの IO_uring サポートを検出し、利用できる場合で使用中のストレージプールと互換性がある場合は QEMU でブロック I/O に対して IO_uring を使用させるようになりました。

これで互換性があるシステム上での I/O が高速化され、ホストシステムの負荷も軽減されます。

`ipv4.neighbor_probe` and `ipv6.neighbor_probe` NIC オプション ¶

LXD 4.23 で、routed のネットワークインターフェースを使うインスタンスで、起動時に既存の IPv4 または IPv6 アドレスを検出するロジックを導入しました。この試行は通常意味があり、潜在的な設定ミスを防げますが、オフにした方が良いケースもあります。

このような理由から、この動きを制御する設定項目を 2 つ追加しました:

ipv4.neighbor_probe
ipv6.neighbor_probe

ドキュメント: https://linuxcontainers.org/lxd/docs/master/instances/#nic-routed

すべての変更点 ¶

このリリースでの完全な変更点のリストは次の通りです:

すべてのChangeLogを見る

lxd-agent: Fix bad copy/paste
lxd/daemon: Fix http response error typos
lxd-migrate: Support certificate tokens
lxd/util/http: Improves comment on CheckTrustState
lxd/util/http: Var naming clarity in CheckTrustState
lxd/daemon: Adds the trusted cluster member fingerprint to the request context username field in Authenticate
lxd/events/events: Adds EventSource type and constants
lxd/events/common: Removes localOnly concept from common listener
lxd/events/devlxdEvents: Removes isLocal concept
lxd/events/events: Replaces isLocal with excludeSources concept for AddListener
lxd/events: Updates d.events.AddListener usage with excludeSources
lxd-agent/events: Updates d.events.AddListener with excludeSources
test: Adds basic cluster event tests
lxd/events/events: Removes listener level location concept and replaces with server location concept
lxd-agent/events: d.events.AddListener usage to remove listener level location
lxd/events: Updates d.events.AddListener to remove listener location
lxd/cluster/events: Prevent concurrent running of EventsUpdateListeners
go.mod: bump github.com/mdlayher/vsock@v1.0.1
lxd/main_init_interactive: Add missing :
lxc/console: Don't crash on manual disconnect
doc/metrics: stop tuning job's scrape_interval now that results are cached 8s only
doc/metrics: don't assume any default scrape_interval value
lxd/response: Modernize FileResponse
lxd-agent: Update for FileResponse changes
lxd: Update for FileResponse changes
lxd/response: Rename FileModify to FileModified
lxd/fsmonitor/drivers: Ignore stale file handle errors.
lxd/apparmor: Remove state.State dependency from apparmor package
lxd/device: Remove state.State dependency from apparmor package
lxd/instance/drivers: Remove state.State dependency from apparmor package
lxd/network: Remove state.State dependency from apparmor package
lxd/storage/drivers/driver/zfs: Set all dataset mountpoint settings to legacy
lxd/cluster/membership: Run EventsUpdateListeners in NotifyHeartbeat in wait group
lxd/cluster/heartbeat: Only upsert member offline error in APIHeartbeat.Send if context not cancelled
lxd/cluster/heartbeat: Save member state gathered so far if heartbeat is cancelled
lxd/cluster/heartbeat: Comment improvement
lxd/cluster/heartbeat: Immediately ping remaining members when ctx is cancelled in APIHeartbeat.Send
lxd/cluster/gateway: Export HeartbeatLock
lxd/cluster/heartbeat: g.HeartbeatLock usage
lxd/cluster/heartbeat: Wait for ongoing heartbeat to finish in NotifyHeartbeat
lxc/config_trust: Support --name flag for tokens
client: Replace chConnected with ctxConnected
client/lxd/events: Updates SendEvent to use context deadline for timeout
test: Update clustering membership tests to not expect a specific promotion order of members
lxc/network_zone: Fix typo (entriess to entries)
lxc/cluster: Fix typo (doest to does)
i18n: Update translation templates
test: Update cluster rebalance tests to not use member specific role logic
test: Add cluster show to failure domains test to capture cluster state on intermittent test failure
shared/api/url: Add WithQuery
lxd/daemon: Run nodeRefreshTask inside cluster.EventsUpdateListeners as part of wait group
lxd/cluster/heartbeat: Fix comment
client: Introduce DoHTTP
client: DoHTTP usage
lxc/query: Use DoHTTP
lxd/api_metrics: Rename resp to metricSet
lxd/api_metrics: Support target
doc/rest-api: Refresh swagger YAML
lxd/certificates: Fix token generation over HTTPS
lxd/cgroup: Fix bad cpuset check
lxc/cluster_group: Update long descriptions
i18n: Update translation templates
lxd/device/nic/routed: Comment ending
lxd/device/nic/routed: Moves parent and vlan check to validation
lxd/device/nic/routed: Remove feature check of liblxc as no longer depends on it
lxd/device/nic/routed: Adds d.effectiveParentName to cache result from network.GetHostDevice
lxd/device/nic/routed: Fixes bug where if vlan effective interface didn't exist start would fail
lxd/device/nic/routed: Align with macvlan logic for setting up vlan interface
lxd/device/nic/routed: Delete created VLAN device on start failure
lxd/device/nic/routed: Use d.effectiveParentName for consistent in postStop
lxd/device/nic/routed: Adds missing comment to checkIPAvailability
lxd/device/device/utils/network: Sets ARP probe timeout based on context deadline in isIPAvailable
lxd/device/device/utils/network: Removes use of unnecessary go routines in isIPAvailable
lxd/device/device/utils/network: Change isIPAvailable signature to return bool for found and separate probe errors
lxd/device/nic/routed: Updates checkIPAvailability to use updated isIPAvailable
test: Adds test for routed vlan without parent
test: Adds routed NIC test for VLAN parent interface creation
doc/metrics: use secp384r1 curve with SHA384 signature
lxd/device/nic/routed: Adds ipv{n}.neighbor_probe option
doc: Adds routed NIC ipv{n}.neighbor_probe setting
lxd/device/nic/bridged: Update setupHostFilters to return a reverter
lxd/device/nic/bridged: Only call d.removeFilters in postStop if filtering enabled
api: Adds instance_nic_routed_neighbor_probe extension
test: Adds tests for routed NIC IP available detection
test: Fix incorrect command in clustering_failure_domains
test: Fix profile leak
lxd/instance/qemu: Allow live update of cluster.evacuate
lxd/certificates: Better handle authentication
lxd/db/node: Adds ClusterRoleEventHub constant and ID entry
lxd/db/node: Removes unused functions RemoveNodeRole and CreateNodeRole
lxd/db/node: Changes Roles field type to []ClusterRole in NodeInfo struct
lxd/db/node: Error formatting
lxd/cluster/heartbeat: Adds supplementary non-database member role info to heartbeat
lxd/cluster/events: Populate heartbeat member roles from DB in EventsUpdateListeners
lxd/cluster/events: Adds eventHubMinHosts constant
lxd/cluster/events: Adds EventMode type and constants
lxd/cluster/events: Adds ServerEventMode function
lxd/cluster/events: Adds RoleInSlice function
lxd/cluster/events: Updates EventsUpdateListeners to only connect to event-hub servers
lxd/cluster/events: Rework listener connect notification to support hub addresses
lxd/cluster/events: Store remote event listener client in eventListenerClient type.
lxd/cluster/events: Use localAddress rather than networkAddress var name
lxd/cluster/events: Adds SetEventMode to eventListenerClient
lxd/cluster/events: Ensure logging inside EventsUpdateListeners is done outside of listenersLock lock
lxd/cluster/events: Log an error when there are no active cluster event listeners
lxd/cluster/events: Adds EventHubPush function
lxd/events/events: Adds InjectFunc type
lxd/cluster/events: EventsUpdateListeners InjectFunc usage
lxd/events/events: Renames Forward to Inject to better reflect what it does
lxd/events/events: Adds NotifyFunc support
lxd/events/events: Adds ability to exclude events from certain locations from being broadcasted
lxd/api/cluster: Trigger notify heartbeat on event-hub member change in updateClusterNode
lxd/cluster/membership: state.Events.Inject usage
lxd/daemon: d.events.Inject usage
lxd/daemon: Wires up cluster.EventHubPush to events.NewServer notify handler
lxd-agent/daemon: events.NewServer usage
lxd-agent/events: d.events.AddListener excludeSources usage
lxd/events: Adds support for receiving events from cluster members in eventsSocket
shared/api/server: Adds ServerEventMode to ServerEnvironment
lxd/api/1.0: Populates ServerEventMode in server environment struct
api: Adds event_hub API extension
doc/rest-api: Refresh swagger YAML
lxd/cluster/events: Move state update in EventsUpdateListeners to end
lxd/cluster/events: log No active cluster event listeners
test: Updates clustering events tests to with event-hub support
test: Fix clustering_handover test to not expect a certain member promotion order
shared/validate: Moves ValidHostname to validate package.
shared/validate: Adds IsDeviceName, refactoring logic from IsHostname.
lxd/device: Ensures device names are valid when validating config and instantiating.
shared/idmap: Add SysProcIDMap functions
lxd/storage: Sync before snapshotting
lxd/main_forkfile: Replace with SFTP server
lxd-agent: Replace file API with SFTP
gomod: Add pkg/sftp
lxd/instance: Add FileSocket to the interface
lxd/instance/lxc: Implement FileSocket
lxd/instance/qemu: Implement FileSocket
lxd/instance: Add FileSFTP to the interface
lxd/instance/lxc: Implement FileSFTP
lxd/instance/qemu: Implement FileSFTP
lxd/instance: Remove FilePull
lxd/instance: Remove FileRemove
lxd/instance: Remove FileExists
lxd/instance: Remove FilePush
lxd/instance/lxc: Port to using FileSFTP
lxd/instance_file: Port to SFTP
gomod: Update dependencies
shared/util: IsTrue description
shared/util: Adds IsTrueOrEmpty function
shared/util: IsFalse description
shared/util: Adds IsFalseOrEmpty function
lxd/device/nic/routed: shared.IsTrueOrEmpty usage
lxd/device/disk: Use shared.IsTrueOrEmpty and shared.IsFalseOrEmpty
lxd/device/disk: Replace use of !shared.IsTrue with shared.IsFalseOrEmpty for security.shifted
lxd/device/gpu: Replace !shared.IsTrue shared.IsFalseOrEmpty for nvidia.runtime
lxd/device/nic: Replace !shared.IsTrue with IsFalse or IsFalseOrEmpty
lxd/device/proxy: Replace !shared.IsTrue with shared.IsFalseOrEmpty
lxd/storage: Adds allowInconsistent to pool interface RefreshInstance signature.
lxd: Passes allowInconsistent from instanceCreateAsCopyOpts into pool.RefreshInstance.
lxd/storage: Uses allowInconsistent in call to MigrateInstance on refresh.
lxd/storage/filesystem: Add SyncFS
lxd/storage: Use filesystem.Syncfs
lxd/storage/drivers: Replace !shared.IsTrue with shared.IsFalse for rsync.compression option
lxd/storage/drivers/driver/ceph: Replace !shared.IsTrue with shared.IsFalse or shared.IsFalseOrEmpty
lxd/storage/drivers/driver/lvm: Replaces !shared.IsTrue with shared.IsFalse or shared.IsFalseOrEmpty
lxd/storage/drivers/driver/zfs/volumes: Replace !shared.IsTrue with shared.IsFalse for zfs.clone_copy
lxd/storage/drivers/zfs: Replace !shared.IsTrue with shared.IsFalse or shared.IsFalseOrEmpty
lxd/api/cluster: Replace !shared.IsTrue with shared.IsFalseOrEmpty for features.networks
lxd/api/project: Replace !shared.IsTrue with shared.IsFalse for features.profiles
lxd/devlxd: Replace !shared.IsTrue with shared.IsFalseOrEmpty for security.devlxd.images
lxd/instance: Replace shared.IsTrue with shared.IsFalseOrEmpty for snapshots.schedule.stopped
lxd/patches: Replace !shared.IsTrue with shared.IsFalse
lxd/apparmor/instance: Replace !shared.IsTrue with shared.IsFalseOrEmpty for security.privileged
lxd/instance/drivers/driver/lxc: Replace !shared.IsTrue with !shared.IsFalseOrEmpty for security.idmap.isolated
lxd/instance/drivers/driver/lxc: Replace !shared.IsTrue with shared.IsFalse for limits.memory.swap
lxd/dnsmasq/dhcpalloc: Replaces !shared.IsTrue with shared.IsFalseOrEmpty for ipv6.dhcp.stateful
lxd/instance/drivers/driver/qemu: Replaces !shared.IsTrue with shared.IsFalseOrEmpty for migration.stateful
lxd/instance/instance/utils: Replace !shared.IsTrue with shared.IsFalseOrEmpty for security.privileged
lxd/networ/driver: Replace !shared.IsTrue with shared.IsFalseOrEmpty for ipv{n}.nat
lxd/network/driver/bridge: Replace !shared.IsTrue with shared.IsFalseOrEmpty ipv6.dhcp.stateful
lxd/network/driver/ovn: Replace !shared.IsTrue with shared.IsFalseOrEmpty for restricted option for projects
lxd/network/driver/ovn: Replace !shared.IsTrue with IsFalse for ipv{n}.dhcp
lxd/network/driver/physical: Replace !shared.IsTrue with shared.IsFalseOrempty for volatile.last_state.created
lxd/network/zone: Replace shared.IsTrue usage for NAT logic
lxd/project/permissions: Replace !shared.IsTrue with shared.IsFalse for features.images
lxd/project/permissions: Replace !shared.IsTrue with shared.IsFalseOrEmpty for security.idmap.isolated
lxd/project/permissions: Replace !shared.IsTrue with shared.IsFalseOrEmpty for restricted
lxd/seccomp: Replace !shared.IsTrue with shared.IsFalseOrEmpty for syscall interception settings
lxd/instance/drivers/driver/qemu: Replace !shared.IsFalse with shared.IsTrueOrEmpty for security.secureboot
test: Adds check for negated shared.Is(True|False)*() function calls
test: Exclude .git dir from static grep checks
test: Removes reference to non-existent package shared/subtest
lxd/db/generate: Fix bad loop logic
lxd/instance/lxc: Use contextual logger in Metrics
doc: add Open Graph metadata
doc: use bugfix for Open Graph Sphinx extension
lxd/storage: Moves PathNameEncode and PathNameDecode to filesystem package
lxd/storage/drivers/driver/btrfs/volumes: filesystem.PathNameEncode usage
lxd/device: filesystem.PathNameEncode and filesystem.PathNameDecode usage
lxd/dnsmasq/dnsmasq: Update dnsMasqEntryFileName to use storageDrivers.PathNameEncode to escape device name
lxd/device/device/load: Update New to return device even if name validation fails
shared/validate/validate: Relax IsDeviceName checks
test: Adds missing device name validation tests
doc: fix Open Graph version
lxd/dnsmasq: Adds staticAllocationDeviceSeparator const
lxd/dnsmasq: Renames dnsMasqEntryFileName to StaticAllocationFileName
lxd/dnsmasq: StaticAllocationFileName usage
lxd/dnsmasq: StaticAllocationFileName test
lxd/dnsmasq: Removes Name and Static field and replaces with StaticFileName field
lxd/dnsmasq: Updates DHCPStaticAllocation to just accept a deviceStaticFileName
lxd/dnsmasq: Update DHCPAllAllocations to use StaticFileName field
lxd/dnsmasq: DHCPStaticAllocation usage
lxd/dnsmasq/dhcpalloc: Updates getDHCPFreeIPv4 and getDHCPFreeIPv6 to accept deviceStaticFileName argument
lxd/network/network/utils: dnsmasq.DHCPStaticAllocation updated usage with deviceStaticFileName
lxd/device/nic/bridged: dnsmasq.DHCPStaticAllocation updated usage with deviceStaticFileName
lxd/apparmor: AppArmor support for extractors
lxd/archive: Add archive package
shared/subprocess: Support for file descriptors
lxd/backup: AppArmor support for extractors
lxd: AppArmor support for extractors
lxd/storage/drivers: AppArmor support for extractors
lxd/storage: AppArmor support for extractors
shared: Move Unpack to lxd/archive
lxd/db/warnings/types: Removes unused WarningTypes and population code
lxd/warnings: Renames ResolveWarningsOlderThan to ResolveWarningsByLocalNodeOlderThan
lxd/daemon: warnings.ResolveWarningsByLocalNodeOlderThan usage
lxd/warnings: Fix entityID logic bugs in resolve and delete functions
shared: Adds agent.rename_interfaces config key for VMs.
lxd/device/config: Adds NicConfig struct for passing data into VM.
lxd/device/bridged: Returns interface MTU as part of run configuration.
lxd/instance/drivers: Writes nic data to VM config share.
lxd-agent: Reads nic configuration and applies it at startup.
doc: Adds agent.rename_interfaces config key.
api: Adds agent_rename_interfaces extension.
lxd/db/query/dump: Add context param to query.Dump
lxd/db/query/transaction: Add TransactionCtx
doc: fix the footer
lxd/device/config/device/runconfig: Long form import
lxd/device/config/device/runconfig: Adds NICConfigDir constant
lxd/device/config/device/runconfig: Adds DeviceName and NICName to NICConfig struct
lxd-agent/network: Updates NIC config parsing to use map of deviceConfig.NICConfig
lxd/instance/drivers/driver/qemu: deviceConfig.NICConfigDir usage
doc: Fix cert pathing in metrics.md
lxd/instance/drivers/driver/qemu: Escape the NIC device name in QEMU config with filesystem.PathNameEncode
lxd/instance/drivers/driver/qemu: Use proper quoting in error from addNetDevConfig
lxd/instance/drivers/driver/qemu: Removes device name used as nic name in addNetDevConfig
lxd/instance/drivers/driver/qemu: Reworks writeNICDevConfig
lxd/device/device/utils/network: Reworks networkCreateVethPair and networkCreateTap to return MTU value used
lxd/device/nic/bridged: networkCreateVethPair and networkCreateTap usage
lxd/device/nic/ovn: networkCreateVethPair and networkCreateTap usage
lxd/device/nic/p2p: networkCreateVethPair and networkCreateTap usage
lxd/device/nic/routed: networkCreateVethPair and networkCreateTap usage
lxd/device/nic/routed: Adds missing name property for VM device
lxd/device/nic/routed: Make routed NIC hotpluggable
lxd/device/nic/macvlan: Adds support for mtu applying via lxd-agent in VMs
test: Work around very intermittent ip: RTNETLINK answers: File exists error
api: Renames agent_rename_interfaces to agent_nic_config
lxd: Rename agent.rename_interfaces to agent.nic_config
doc/instances: Removes trailing whitespace
lxd/util/sys: Move RuntimeLiblxcVersionAtLeast to instance package
lxd/util/sys: Move GetIdmapSet to shared/idmap
lxd/db/generate: Add leftjoin support
lxd/db/generate: Adds coalesce support for joined fields
lxd/db/generate: Removes white space
lxd/db/generate/db/mapping: Adds WarningStatus and WarningType to column types
lxd/db/generate/db/stmt: Update filter generation to use []string for where statement
lxd/db/generate/db/stmt: Ensure coalesced fields are fitered on their coalesced value
lxd/db/warnings: Uses DB generator for warnings functions
lxd: tx.GetWarnings usage
lxd/instance/drivers/driver/common: tx.DeleteWarnings usage
lxd/db/warnings: Avoid duplication results in UpsertWarning
lxd/instance/qemu: Properly wrap error
lxd/instance: Introduce Info.Features
lxd/instance/qemu: Add checkFeature
lxd/instance/qemu: Detect and use io_uring
lxd/instance/drivers/driver/lxc: Remove duplicate import of github.com/lxc/lxd/lxd/storage
lxd/instance/test: Fix inconsistent import name of github.com/lxc/lxd/lxd/storage
shared/api/storage/pool: Adds StoragePoolStatusUnvailable constant
lxd/db/warnings/types: Adds WarningStoragePoolUnvailable, description and severity
lxd/storage: Update setupStorageDriver to retry initializing failed pools
lxd/storage/pool/interface: Adds ToAPI
lxd/storage/backend/mock: Implements ToAPI
lxd/storage/backend/lxd: Implements ToAPI
lxd/storage/backend/lxd: Adds unavailablePools variable and maintains via Mount function result
lxd/storage/backend/lxd: Description typo for GetVolume
lxd/storage/backend/lxd: Update LocalStatus to return StoragePoolStatusUnvailable if not initialised locally
lxd/storage/pools: Switch to loading pool and using the ToAPI and LocalStatus functions
lxc/storage: Add STATE column output even in non-clustered environment
lxd/storage/backend/lxd: Adds isStatusReady function to check if pool is ready for use
lxd/storage/backend/lxd: Delete persistent warnings on pool delete
lxd/storage/load: Adds Patch function
lxd/patches: Updates patchGenericStorage to call storagePools.Patch()
lxd/storage/utils: Adds logging to ImageUnpack
lxd/apparmor/archive: Adds additional permissions for unsquashfs to apparmor profile
lxd/archive/archive: Don't use supplementary unpacker command
lxd/archive/archive: Better return structure (golint)
lxd/archive: Improve error and logging in Unpack
lxd/instance/drivers/driver/qemu: Fix VM support detection regression
lxd/instance/qemu: Fix incorrect comment
lxd/instance/qemu: Disable io_uring on loop pools
lxd/instance/qemu: io_uring naming consistency
lxd/apparmor: Allow rw remount of /run
Add the Grafana dashboard (15726)
shared/tcp/tcp/timeouts: Adds tcp package with functions for setting timeouts
lxd: github.com/lxc/lxd/shared/tcp usage
lxd/util/net: Removes TCP timeout functions
test: Wait longer for second node to be demoted
lxd/network/driver/common: Fix typos in errors
lxc/storage_volume: Fix list of default columns
i18n: Update translation templates
lxd/warnings: Removes unused functions
lxd/network/driver/bridge: As network ID is globally unique, delete warnings by ID on delete
lxd/networks: Removes duplicated warnings delete call
lxd/network/driver/bridge: Don't refresh BGP prefixes during forward update
lxd/bgp: Fix RemovePrefixByOwner when multiple matches
doc: whitespace changes
doc: moving content
shared/tcp/tcp/timeouts: Adds support for using net.TCPConn directly with ExtractConn
client/lxd: Adds setURLQueryAttributes function
lxd/instance/drivers/driver/qemu: Close connection on client error in FileSFTP
lxd/instance/drivers/driver/lxc: Close connection on client error in FileSFTP
Replace github.com/pkg/errors with fmt and errors
Replace errors.Unwrap() with errors.Is()
Use %w in fmt.Errorf to wrap errors
gomod: Update dependencies
i18n: Update translation templates
test: Update godeps.list
lxd/db/query: Fix IsRetriableError
doc: add some headings
lxd/instance/sftp: Adds /1.0/instances//sftp handler
client/interfaces: Adds GetInstanceFileSFTP and GetInstanceFileSFTPConn to InstanceServer
client/lxd/instances: Adds SFTP support to ProtocolLXD
lxc/file: Adds mount command
test/godeps.list: Updates godeps
i18n: Update translation templates
doc/rest-api: Refresh swagger YAML
lxd/device/disk: Store the storage pool inside device to avoid repeated DB queries
lxd/device/disk: Return VM mount directio and loop backed options
lxd/instance/drivers/driver/qemu: Detect io_uring support for root and custom block volumes
doc: update Network ACLs documentation
doc: add required links
doc: whitespace changes
doc: move content
doc: add some headings
doc: update network forwards documentation
lxd/task/group: Clarify message about tasks still running
lxd/daemon: Error not checked from ResolveWarningsByLocalNodeOlderThan
lxd/device/disk: Remove duplicated import
lxd/storage/backend/lxd: Don't try mounting volumes if pool not available
lxd/storage: Add and use error ErrPoolUnavailable
lxd/instance/drivers: Moves shared storagePool var into common
lxd/storage/load: Adds UnavailablePools function
lxd/storage: Update setupStorageDriver to call instancesStart when pool is subsequently initialised
lxd/instances: Updates instancesStart to check disk pools are available
lxd/instance/drivers/driver/qemu: Improve secureboot needs to be disabled error
lxc/file: Adds support for setting up local SFTP server for mount command
i18n: Update translation templates
lxd/device/disk: Detect disk pool VM mount options using single call to os.Stat
lxd/network/openvswitch/ovn: Update LogicalRouterRoutes to support recent versions of ovn
seccomp: pass a pidfd to process_still_alive
lxd/apparmor/archive: Expand all paths
lxd/instance/qemu: Switch TPM mode to CRB
lxc/storage_volume: Tweak error message
lxc/storage_volume: Align info with lxc info
i18n: Update translation templates
doc/instances: Fix missing escaping
api: projects_restricted_intercept
lxd/projects: Add restricted.containers.interception
lxd/project: Add restricted.containers.intercept
doc: Add restricted.containers.interception
scripts: Add restricted.containers.interception
tests: Validate restricted.containers.interception
lxd/node: Fix typo in metrics_address description
api: metrics_authentication
lxd/cluster: Add core.metrics_authentication
lxd/metrics: Allow disabling authentication
doc/server: Add core.metrics_authentication
scripts/bash: Update completion for metrics
tests: Add test for core.metrics_authentication
lxd/device/device/utils/disk: Update DiskVMVirtiofsdStart to check sharePath is absolute
lxd/device/disk: Start virtfs-proxy-helper after virtiofsd
lxd/instance/drivers/driver/lxc: Disable idmapped mounts if LXD_SHIFTFS_DISABLE=true
lxd/instance/qemu: Disable hv_passthrough when migratable
lxd/apparmor: Attempt to deref exePath
grafana: fix project disk usage overview of the rootfs
grafana: use available bytes when computing rootfs used space
grafana: bump dashboard version
lxc/utils/sort: Move sorting helpers to utils package
lxc: Use utils package for sorting tables.
lxd/apparmor: Handle missing paths
lxd/instance/qemu: Set spawn=allow
lxd/instance_file: Add last-modified header
doc/rest-api: Refresh swagger YAML
lxd/instance_file: Fix gofmt
lxc/file: Adds --listen flag to mount command
i18n: Update translation templates
lxc/file: Check instance exists in mount SSH SFTP listener mode
test: Adds basic file mount SSH SFTP listener tests
lxd: Adds IdmappedMounts field to OS struct
lxd/db/generate/db/stmt: Add leftjoin support to naturalKeySelect
lxd/db/generate/db/stmt: Only join fields contained within natural key in naturalKeySelect
lxd/db/warnings: Use WarningExists from DB generator
lxd/device/nic: Lock concurrent access to networkSRIOVRestoreVF
lxd/device: Allow ipv{n}.address=none for managed networks.
lxd/device: Check ip{n}.address != none before allocating.
tests: Check that all protocols are blocked when ipv{n}.address=none
lxd/storage/drivers/generic/vfs: Pass --numeric-owner to tar unpack command
tests: Fix ordering in bridge filtering test
i18n: Update translations from weblate
gomod: Update dependencies
i18n: Update translations from weblate

試用環境 ¶

この新しい LXD リリースは私たちのデモサービスで利用できます。

ダウンロード ¶

このリリースの tarball はダウンロードページから取得できます。

ビルド済みバイナリーは次のように使えます:

Linux: snap install lxd
MacOS: brew install lxc
Windows: choco install lxc

Contents

LXD 4.24 リリースのお知らせ

LXD 4.24 リリースのお知らせ¶