Weekly status #334

tomp · February 12, 2024, 11:35am

Weekly status for the week of 5th February to 11th February.

Introduction

As we prepare for the next LXD LTS release, the LXD snap has seen a lot of work over the last week.
In addition we continue to improve and evolve our Identity Access Management functionality, with the encryption of OIDC client cookies and the removal of Canonical Candic RBAC support.

LXD

QEMU now built from Ubuntu source in LXD snap

Previously the LXD snap has provided QEMU built from upstream sources. Now the LXD snap is distributing QEMU built from Ubuntu’s QEMU sources. This is so LXD can benefit from patches that the Ubuntu Server team add to QEMU.

MicroOVN content interface now supported by LXD snap

The LXD snap can now detect when the MicroOVN snap is installed or removed and dynamically reconfigure itself as needed. Previously LXD needed to be restarted to pick up this change and this caused some confusion if LXD was installed and started before MicroOVN was installed.

LXD UI enabled by default in LXD snap

The LXD UI is now enabled by default in the LXD snap. Although the external listener must still be enabled explicitly by setting core.https_address, see https://documentation.ubuntu.com/lxd/en/latest/howto/access_ui/#how-to-access-the-lxd-web-ui for more information.

MinIO server is removed from LXD snap

As MinIO is AGPL-3.0 licensed it is not always appropriate for it to be included in the LXD snap package. As such it has now been removed. However an externally provided minio server and mc client binaries can still be used with the LXD snap for local storage buckets by setting the minio.path setting, e.g.

sudo snap set lxd minio.path=/usr/sbin
sudo systemctl reload snap.lxd.daemon

Documentation: Install requirements for local storage buckets

Encrypted OIDC cookies

When using OIDC authentication mode, the cookies stored on the remote clients are now encrypted.
This will cause existing authenticated clients to be logged out and must re-authenticate.

Removed Candid RBAC authentication support

Support for Canonical’s Candid RBAC service has been removed as it is in the process of being deprecated. LXD still supports external OIDC and TLS certificates for authentication.

Minimum Go version to build LXD raised to 1.21

We have increased the minimum supported Go version that is needed to compile LXD to Go 1.21.
This is to allow us to keep our external dependencies up to date.

Bug fixes:

Database patch to remove block.* filesystem related settings from LVM and Ceph RBD backed block volumes.
Do not check for size.state during live migration if VM is backed by shared storage. As VMs being live migrated on shared storage pools don’t need to store a temporary state file there was no need for size.state to be set on the instance’s root disk.
Fix regression in simplestreams parser when parsing indexes that contain both combined and non-combined variants.
Fixed regression in the TLS driver which now return a false permission checker when client is restricted.

All changes

The items listed below is all of the work which happened over the past week and which will be included in the next release.

LXD

LXD Charm

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXD as well as work to get various software to work properly inside containers.

Ubuntu

Nothing to report this week.