Community Linux Containers has released LXC 6.0, a toolkit for managing isolated containers. It provides a runtime suitable for both running containers with a full system environment, similar to virtual machines, and for running unprivileged containers of individual applications (OCI). LXC is a low-level toolkit that operates at the container level. For centralized management of containers deployed in a cluster of multiple servers, the Incus and LXD systems are being developed based on LXC. LXC 6.0 is a long-term support release, with updates generated for five years (until 2029). LXC is written in C and is licensed under the GPLv2.
LXC includes the liblxc library, a set of utilities (lxc-create, lxc-start, lxc-stop, lxc-ls, etc.), templates for building containers, and a set of bindings for various programming languages. Isolation is achieved using standard kernel mechanisms. LinuxNamespaces are used to isolate processes, the network stack (IPC, UTS), user IDs, and mount points. Cgroups are used to restrict resources. Kernel features such as Apparmor and SE profiles are used to reduce privileges and restrict access.Linux, Seccomp policies, Chroots (pivot_root) and capabilities.
Major changes:
- It is possible to build a universal executable file lxc, which combines in one utility all the commands previously distributed as separate “lxc-*” utilities. To build the summary executable file, the option “tools-multicall=true” is proposed, when set, all old individual utilities are created as symbolic links to the lxc utility. Assembly in the form of a single executable file can significantly reduce the toolkit's consumption of disk space, which is important for embedded systems.
- The set_timeout function has been added to the liblxc library, which allows you to set a timeout for any interaction with the LXC monitor.
- In the network bridge interface lxcbr0 is enabled by default IPv6 support with the assignment of addresses from the IPv6 ULA (Unique Local Address) subnet.
- Added "-u" and "-g" options to lxc-usernsexec to change user and group identifiers (UID and GID).
- The lxc-checkconfig utility now shows the version only if the lxc-start command is present and adds information about the maximum allowed number of each type of namespace.
- Added support for container images in the OCI format, in which the Squashfs FS is used to compress information.
- To interact with systemd via D-Bus, a separate libdbus-1 library is used instead of libsystemd.
- Support for the Upstart init system has been discontinued.
At the same time, the Incus project was published, within the framework of which the community Linux Containers is a fork of the LXD container management system, created by the original team that created LXD. Incus is written in Go and licensed under the Apache 2.0 license. Incus 6.0 is positioned as the first stable branch, which will be supported by a long-term (LTS) release cycle. Key changes in Incus 6.0 include the ability to create network interfaces via the bridge.external_interfaces API, improved support for JWT (JSON Web Token) authentication, USB support, and detailed system information display via the "incus info --resources" command. Support for the LXD 5.21 release is also available in the lxd-to-incus utility.
Incus and LXD provide tools for centralized management of containers and virtual machines deployed both on a single host and in a cluster of several serversThe project is implemented as a background process that receives network requests via a REST API and supports various storage backends (directory tree, ZFS, Btrfs, LVM), snapshots with state slices, live migration of running containers from one machine to another, and container image storage. LXC is used as the runtime for launching containers. Isolation is achieved using native kernel mechanisms. Linux (namespaces, cgroups, Apparmor, SELinux, Seccomp).
Community Linux Containers oversaw LXD development before Canonical decided to transform LXD into an enterprise project. The goal of the fork is to provide an independent, community-driven alternative to the Canonical-controlled LXD project. The creation of Incus also provided an opportunity to address some conceptual flaws introduced during LXD's development that previously could not be addressed without breaking backward compatibility.
Canonical has published a new version of the container management system LXD 5.21.1. The LXD 5.21 branch is labeled LTS and will be supported until June 2029. Code contributed to LXD by Canonical employees is licensed under AGPLv3, but third party code to which Canonical has no proprietary rights remains under Apache 2.0. Among the functional changes in LXD 5.21.1, we can note the transfer of the snap package from LXD to the LXC 6.0 and LXCFS 6.0 branches. The storage_volumes_all extension and the associated /1.0/storage_volumes handler have been added to the API to display a list of all storage partitions. Added extension instances_files_modify_permissions for changing access rights to existing files via the API.
A virtual file system release, LXCFS 6.0, is available, used for simulation in pseudo-FS containers /proc and /sys, as well as a virtualized representation of cgroupfs for distributions without support for cgroup namespaces. The new version adds a "--enable-cgroup" option to control whether the built-in functionality for creating a croupfs virtual tree is enabled for containers using cgroupv1 (most distributions currently support kernel-provided namespaces for croup, so enabling the built-in alternative implementation by default is no longer meaningful and is now optional). In addition, LXCFS 6.0 no longer filters the CPU when creating the /sys/devices/system/cpu file, depending on the online/offline state.
Source: opennet.ru
