A year of LXD development

Video in TIB AV-Portal: A year of LXD development

Formal Metadata

A year of LXD development
Project update on what happened in LXC/LXD in 2018
Title of Series
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Over 2018, LXD's userbase grew significantly, partly thanks to it shipping on all Chromebooks. But other than merely getting more users, we've still been very hard at work introducing a number of exciting new features. The main one of those has certainly been LXD clustering which released alongside our second LTS release back in April. We've also been adding a wide variety of storage related features, simplified networking, better support for GPUs, ... In this presentation, we'll go over the past year and highlight the most interesting changes, then look a bit further for what to expect in 2019.
Personal digital assistant Canonical ensemble Software developer Projective plane
Laptop State transition system Group action View (database) Multiplication sign 1 (number) Virtual machine Set (mathematics) Drop (liquid) 2 (number) Software bug Workload Visualization (computer graphics) Operating system Energy level Extension (kinesiology) Information security God Physical system Computer architecture Default (computer science) State transition system Multiplication Namespace Keyboard shortcut Projective plane Interactive television Bit Cartesian coordinate system Scalability Entire function 10 (number) Type theory Data management Commitment scheme Freeware Library (computing)
Ocean current Default (computer science) Graphics processing unit Server (computing) Virtual machine Set (mathematics) Volume (thermodynamics) Bit Directory service Radical (chemistry) Medical imaging Graphical user interface Arithmetic progression Sinc function Library (computing) Physical system
Mobile app Server (computing) INTEGRAL Electronic mailing list Cartesian coordinate system Radical (chemistry) Graphical user interface Befehlsprozessor Software Personal digital assistant Line integral Right angle Game theory
Gateway (telecommunications) Cluster sampling Common Language Infrastructure Presentation of a group Injektivität Range (statistics) Front and back ends Software bug Medical imaging Direct numerical simulation Human migration Different (Kate Ryan album) Single-precision floating-point format Core dump Videoconferencing Local ring Information security Physical system Public key certificate Namespace Keyboard shortcut Bit 10 (number) Hand fan Internet service provider Pattern language Spacetime Point (geometry) Socket-Schnittstelle Proxy server Computer file Disintegration Computer-generated imagery Device driver Data storage device Canonical ensemble Event horizon Product (business) Bridging (networking) Backup Address space Computer architecture Authentication Default (computer science) Key (cryptography) Run time (program lifecycle phase) Weight Counting Volume (thermodynamics) System call Elliptic curve Software Query language Personal digital assistant Network topology HTTP cookie Table (information) Library (computing) Digital electronics Run time (program lifecycle phase) INTEGRAL Multiplication sign View (database) 1 (number) Combinational logic Set (mathematics) Mereology Public key certificate IP address Web 2.0 Network socket Query language File system Flag UDP <Protokoll> Injektivität Overlay-Netz Email Electric generator Data storage device Type theory Auditory masking Direct numerical simulation MiniDisc Normal (geometry) Configuration space Right angle Block (periodic table) Volume Row (database) Asynchronous Transfer Mode Laptop Server (computing) Statistics Game controller Backup Service (economics) Authentication Gene cluster Virtual machine Hand fan Metadata Theory 2 (number) Revision control Workload Flow separation Root Gastropod shell Proxy server Domain name Multiplication Projective plane Database Human migration Single-precision floating-point format Subject indexing Particle system Logic Password Key (cryptography) Fiber bundle Communications protocol Address space
Point cloud
okay but the next speaker is myself so hi I'm Stefan crapper I work at canonical on containers I'm the Alexi and XT project leader and today I'm going to be going through a year of obscene development on next day and it's been a busy year so just briefly in case
someone doesn't know what XD is next is a container manager but it's a system container manager so we don't really run the your usual docker type workload we do run an entire operating system so think of it more like a virtual machine it's designed to be very simple both on the CLI and our a PI it's God we try to also make that demonology and everything reasonably clear it's very fast there's no VM or anything involved it is very safe because we use just about everything every security feature you can think in a camel plus the ones we've implemented in camel so that means all of our containers views to use a namespace by default the you second the user Palmer they use the drop capabilities pretty much anything can think of we've got it and it's very scalable it works on a single laptop just fine you can run multiple systems and interact with them over the network or if you want to go even further you can start and cluster them and then runs like tens of thousands of containers or again start what legs do isn't well I kind of went through that already but it's not as if the transition technology we only use containers and namespaces in camera so it runs on every architecture it's very fast runs inside VMs like it's company know something you know what eyes it is also not a fork of Alexi we are the same project just Alex Eve has been around for the decade it's written in C it's a low-level C library to interact with the camera with a set of tools Lex T is one of one level up it uses alexis through a co binding and drives it that way it's it lets us like that's why we couldn't provide some of the more modern interactions and use go to make things simpler for us ourselves while still keeping lib LXE in sea as the new level interaction with a linux camera because the only one who's been doing it didn't go interacting with namespaces from NGO is not very fun C works way better and as I said we don't read you an application containers if you want to run application containers that's perfectly fine you can run docker inside lxd container we do nesting just fine that works now as for the actual what my talk where we look through a year of containers what a flex day so we kind of the highlights for this year it was a second LTS release for synergize for this means we tagged something so we did two or three years back with its three or this year and then we will support it with bug fix and security only for five years so thanks this trio has been released in April it has a kind of just release we've done three bug-fix releases on top of it so far we do back port most of our bug fixes on to that release and we do have a five years commitments to bug fixes and security updates on that we've also done ten feature releases we are effectively on a monthly release cadence fall XD so we did miss two as we can tell that was because when we took us a while to do this trio I mean the LTS took us a later one so we were hoping to be able to do the 80s on the side and but that didn't work out so we had ended up not releasing and I think it was February and March as we skipped and we've done as a luminous free LTS bug-fix releases now there's another thing that's kind of exciting happened
this year it was a bit of a surprise some extent Chromebooks Ultron books ship we flex D now so our user base grew quite a bit thanks to dance that happens late September it is advertised as crostini or Linux apps on Chromebooks when you use that feature it can looks like that the first time you
use it it installs the next just was kind of funny considering you're already on a Linux machine but anyway and what if they're not then you effectively can
install so you get a terminal you can play with the terminal you can install packages inside it but if you know how to get to it you can also drop into next day and you can see that there's one container running which is called penguin that's the default they've been container that friends on the Chromebooks it's got a special set of libraries and hooks and pass-through set up so that it can reach your graphical server and can render very easily there are some things are still being worked on current walking progress on their side is USB pass-through GPU pass-through and sound those things will be coming they are all supported by lxd they just not available right now from books because other than evidence of safety the way those containers work on Chromebooks is actually by first running a virtual machine and then inside a virtual machine running Lexi before all your containers so every users got a virtual machine and then you can have as many containers you want inside there which makes things a bit trickier because what we can share a GPU very easily on the system directory they first now need to share the GPU with the VM which is pretty tricky and then we can get it from inside the container but it's coming so here you can see I've been spooning a bunch of containers what did I do okay did yeah but different distros to just show that you can use our normal images you can run whatever containers you want on your Chromebook it's all persistent it all works well uses bearer FS as its storage so if you copy stuff which is a sub volume since we're gonna be quick and as I mentioned you even have GUI access
so in this case what I did is I just in the terminal that comes when you enable Linux apps in your Chromebook are installed frozen bubble and then you can just go into the app launcher on your Chromebook like you don't have to do it from the CLO anything you go into the app launcher and alongside chrome sheets slides whatever you've got in there you're gonna see frozen bubble because it actually pulls the list of applications and packages that are installed in your container and they show up in your own shop you click on it and it's spawned and in spoon inside your container and shows up on your graphical server so it's printed integration really looking forward to seeing them land more complex integration as I mentioned GPU USB and sound are gonna be pretty neat because people wants to run steam inside that and so far it does longer if the game is 2d and your CPU is beefy enough to run GL and software but it's gonna be much better once we get trippy or pass
through on those Chromebooks all right
so let's D itself 303 was pretty busy so kind of the highlights there clustering we presented that last year at first then it wasn't not yet we merged it a few weeks afterwards so you can take a bunch of legacy servers when you do the initial configuration still XD in it it asks you it I want to set up a cluster you say yes and then it pretty much works as usual and all other systems or they I've got to do is say I would like to join the cluster enter the IP address and now you've got to bigger and bigger and video XD CLI API everything works the same way when you spawn your containers they get balanced unless you tell us what you want them so that's that's was a big piece of work that's been working pretty well with the annoying a bunch of bug fixes on it obviously but we've got people running tens of thousands of containers on clusters and books just fine other new feature was also something a business that first time last year next EP to save just physical to container importer so it's truly run inside an existing system and that sucks it up and sends it to Lake State to run inside the container so that tool was released as part of shrio we also did nvidia runtime integration so that's passing through your cuda libraries you nvidia driver and a bunch of that stuff for containers that want to do deep learning and AI type workloads we added support for hot-plug of UNIX character and of devices so effectively with that you can say hey I want this old port to go into that container and even if it's not there when you start the container when you plug it in it's just gonna detect the U of n from you dev and then pass it to the container I did some more logic for storage volumes for community new copy storage volumes across the network as well and we added a new device as a proxy device it effectively lets you say that you want TCP port whatever on one of the hosts IP to be for this - whatever in the container and it's supposed different modes like it will do it will do IP tables or it will do some fancy or internal proxying we do so you can even forward between UDP and TCP and between UNIX socket and TCP you with support a lot of weird combinations I'm gonna go pretty quick with with as I said within 10 releases so I've got about a minute per release the next one was a lot less busy as it turns out when you only spend a month on one set of three months there's less stuff so we added backup support that that's used through the API or here I export a container as a table or either just like a simple table or of the root file system or an optimized version which includes like a binary blob of the storage Drive a you're using so if using bharata's of ZFS you can get at optimized blob which makes it much faster to re-import and also will save you space because it bundles like would a snapshot in all the metadata I'm excited we've added automatic fan networking for clusters so that's effectively as overlay network that exists on a burn - if you enable clustering and you don't have physical network that's shared between your containers it will use that so that you get to the same network and you don't we had issue with like a container on one machine another one began now I'm going to this tree to continue our migration between storage pools so we did custom volumes two races before that but we still a bit of a big gap we're like containers could not be moved between two storage pools on your system so finally fix don't we've expanded for the proxy device can do by adding support at that point for it UNIX circuits both abstract and normal five base UDP and port ranges and we've also made it possible with like a single REST API call to join a node into a cluster was before it was like five or six goals then next few days we've added a feature that lets a container pull images from its host so if you want if your index the inside Lex D it can avoid going on to the network to denote the image it can just dunno it straight from the host so it's a pretty convenient pass-through we've added a new API took for a networking details from the host so that includes getting back at count byte count all that kind of stuff for any network device it's pretty useful for clusters when you want to like look at a remote person with us actually being going to be compatible what you want we've added a small feature people are kept requesting which is like a flag you can sit on a container so that you can't delete it without first been setting that flag because people do typos and printed not like it's so much when their production can hey let's go away so we did that and on the poxy side we added support for the HD poxy header pod core and we added UID GID mode control for UNIX sockets as well as supporting privilege dropping in the proxy device which was needed if you are using a proxy device to forward x11 traffic because we can use that device not only for like normal web traffic or whatever but you can also use it to fold your X servers sockets to the container so you can run graphical applications and for that you needs the UID and GID to line up with your own user so we need the first wrapping for that and we've added built-in p prof server that you can turn on on any address you want to then pull statistics or debug data out of the XD when it's raining and after that so we improved on - on top of what we did for the automatic overlay feature for the bridge on clusters by also having a dns forwarding protocol effectively that makes it so that the local so we use the NS mask in the backend and yes mask will generate records for your containers but if you're in a cluster you want to see all of them not just the ones that are on your machine so we've added a logic to frequently forward and replicate those across the cluster so that the DNS view is also consistent we've added a new API that would let us pull all the data you need to list all your containers and all details in a single rest query instead of like street or country now something we had before that main things massively faster obviously that's what we were working on getting visually lifting and tracting with 10000 containers to take about 50 seconds instead of 5 or 6 minutes so we got that's to be pretty reasonable and we've added file capabilities support in a bunch of different places that included when remapping the container when unpacking images like some mentioned earlier in this room five capabilities are getting pretty important for things like ping and we were running into problems there so we made sure that we used the feature that landed a few cannons ago to support and provide capabilities and that leg ste itself knows how to read them convert them and write them properly as it remaps the containers and already is that one we improved external authentication support so we support something called macaroons they're fancy cookies and something that should do decentralized authentication and external authentication for lxd so we've added support for multiple domains in there we've added extra checks for security and we've added separately we did some work she guarantee that the cluster upgrade is consistent so effectively having the nodes that are not upgraded yet to be a whether they need to have do it now so they can do something about it instead of waiting until someone up days then and I need to really start speaking fast now next release was a pretty big one we added projects so that's a way of grouping containers images and qualifies and hiding them from each another that's very convenient when you're working on a bunch of different things on a system or if you've got a system shared with multiple people you can use that feature to isolate who can see what effectively and grouping things together we've added done some more some more work on storage with snapshots we've done the initial secure be to support just initial we don't do any of the fancy controllers yet I do support phone cryptid certificates because yes if someone stole your next e credit baby it'd be bad so now we support password protection they're as Christian mentioned this morning we added a few event injection for USB devices and we improved some of our net for handling to make it faster that's what another release we added incremental container copies so that lets you update a existing container to effectively run a backup post and you can run background copies from one host to another and just keep that container up-to-date we've also switched our default keys to elliptic curve mostly because some architectures were stupidly slow with RSA so EC was significantly faster to generate for what should be actually slightly better security and fingers the last one I hope so we've added automated cutting of snapshots recently so you can be a back front type pattern on your container and like stick with generate snapshots for you we've added support for moving containers between projects we've added support for replicating images within a cluster to make sure that you can't end up in a situation where you've got an image in the database but it's nowhere near on disk because the nodal edits it's gone and we've added support for better configuring what address you want clusters to use for the internal traffic and for public traffic and that's it
that was a pretty busy year I mean we're a team of people on for now but it's been a busy and we expect next year to be just as busy really so that unless I'm just have alright anyone's got anything you mention could back up on the containers or do you have the container configurations backup for all the storage so if backup right now the way we do it is when you request the backup it will create that up to my star ball effectively it dumps it into one specific battery on the host that you could store on to whatever you want there's no just like we just like images on disk you can stai them to a nexus particular storage pool backups are the same way but you can totally mount whatever you want on the backup secretary and then released all that yeah we might at some point make a way of actually tying that to a storage food it just gets tricky and if you try to delete the storage pool all the corner cases store a bit funny thanks for some good work this year yes question what's the status of Weiland and Alex D containers mhm so we've not I've never actually even thought my laptop transparent are usually just forward x11 unless let x1 do its thing but the Chromebooks are Wayland and clearly they've got it working I'm not exactly what circuit they need to pass I think it actually depends on the compositor in the way that the the API works for a particle shell effectively but it's clearly possible because that's what the crumbles are doing I again thank you for a nice presentation and all your work there's been some changes and with introducing the proxy service and I'm wondering how does it behave with the containers that I mean if it's just IP tables nothing how does it behave with containers migrating across the cluster and does it actually do proper nothing to wherever the container is within the cluster no so like yeah that but it doesn't and that's obviously a bit of a problem sometimes more recently often people are from clusters we also have like an externally managed network and it just manage it as part of the network rather than expecting Lexi to be the Gateway we could do some very fancy things if we wanted because that proxy as I mentioned ACK doesn't only do IP tables it also does its own thing furtively it can attach the two namespaces and then does internal proxying between the two which is very convenient because it means you can run you can have a container that actually has no networking and you bind a service on localhost in that container and you can totally have the proxy proxy to that that works fine in theory we could change that thing to also epoxy internally so I OPI over the network but it's it seems like a lot of work and we've not really had a strong enough use case to to spend a month Frank to go out that's it all right thank you you [Applause]


  363 ms - page object


AV-Portal 3.20.2 (36f6df173ce4850b467c9cb7af359cf1cdaed247)