[lxc-users] LXC 3.0.0: Packaging Changes To Be Aware Of

Christian Brauner christian.brauner at canonical.com
Sat Apr 7 14:54:07 UTC 2018


Hey everyone,

LX{C,FS,D} upstream here. :)

I'm sorry to ping you all at once in this mail and I seriously hope I only
added actual package maintainers for LXC based projects in their respective
distros to this mail. If not I'm genuinely sorry to have banged on your door
(or rather inbox) on a Saturday!

A few days ago we released LXC [1] and LXD [2] 3.0.0 which are going to be our
next LTS releases receiving support from upstream for 5 years until 2023.

LXC 3.0.0 not just introduces a lot of changes and improvements on all fronts
in general but will also likely require changes in packaging. These changes are
what I'd like to inform you about because we really don't want you all to run
into pointless confusion and problems.

The distros I think should be reached by this mail are:

Alpine
ArchLinux
Debian
Fedora
Gentoo
NixOS
openSUSE
OpenWrt

Please, if anyone of you know other packagers in other distros that are not
derivatives of the above please forward this mail. Don't leave fellow
maintainers hanging. :)

Here is a list of what we consider will most likely affect you as packagers:

1. **Important** the lxc-templates have been moved out of the main LXC tree
   into a separate repository
   https://github.com/lxc/lxc-templates

   This means that without this separate package LXC will now only come with
   the following templates:

   lxc-busybox
   lxc-download
   lxc-local
   lxc-oci

2. **Important** distrobuilder is the new way of creating machine/system
    container images
   The templates have been replaced by a new project called "distrobuilder"
   [5]. It aims to be a very simple Go project focussed on letting you easily
   build full system container images by either using the official cloud image
   if one is provided by the distro or by using the respective distro's
   recommended tooling (e.g. debootstrap for Debian or pacman for ArchLinux).
   It aims to be declarative, using the same set of options for all
   distributions while having extensive validation code to ensure everything
   that's downloaded is properly validated.

   **Warning: Advertisement** please consider packaging distrobuilder.
   https://github.com/lxc/distrobuilder

   A more lengthy justification can be found at:
   https://brauner.github.io/2018/02/27/lxc-removes-legacy-template-build-system.html

3. The python3 bindings have been moved out of the main LXC tree and are
   maintained in a separate Github repo under the LXC namespace.
   https://github.com/lxc/python3-lxc

   This means that the

   --with-python

   configure flag should be dropped.

   A more lengthy justification can be found at:
   https://brauner.github.io/2018/02/27/lxc-removes-legacy-template-build-system.html

4. The lua bindings have been moved out of the main LXC tree and are
   maintained in a separate Github repo under the LXC namespace.
   https://github.com/lxc/lua-lxc

   This means that the

   --with-lua

   configure flag should be dropped.

   A more lengthy justification can be found at:
   https://brauner.github.io/2018/02/27/lxc-removes-legacy-template-build-system.html

5. **Important** the pam_cgfs.so pam module has moved from the LXCFS tree into
   the LXC tree
   https://github.com/lxc/lxc/blob/master/src/lxc/pam/pam_cgfs.c

   This means that in order to compile the pam module with LXC you should pass:

   --enable-pam

   and

   --with-pamdir=PAM_PATH

   when compiling LXC.
   In case you don't know what the pam module is for it is used to allow
   unprivileged cgroup management for fully unprivileged containers. It
   useful for all container runtimes (e.g. openSUSE is shipping and
   using it). For a slightly deeper look at it I suggest you read [3].

6. Removeal of legacy cgroup drivers
   This includes the cgmanager driver. Which also implies that

   This means that the

   --with-cgmanager

   configure flag should be dropped. The cgmanager package can likely also be
   dropped unless you maintain a package for our 1.0 stable branch!

   A more lengthy justification can be found at:
   https://brauner.github.io/2018/02/20/lxc-removes-legacy-cgroup-drivers.html

7. All legacy configuration keys have been removed.
   With LXC 2.1.0 we started to print warning when legacy configuration keys
   were used in the container config and started yelling at people that we will
   remove legacy configuration keys in LXC 3.0.0. This is now reality.
   We ship an upgrade script since LXC 2.1:

   chb at conventiont|~
   > lxc-update-config
   /usr/bin/lxc-update-config -h|--help [-c|--config]
   config: the container configuration to update

   which will automatically replace legacy configuration keys with their new
   counterparts. If the upgrade fails it will have left a *.backup file in the
   same directory where the config file was and it can simply be restored.

   Please make sure your users know about this update script. Fwiw, [4]
   provides a list of all removed legacy configuration keys and their new
   counterparts.

8. **Warning: Advertisement** for any distro on here that does not already
   package LXCFS which has been around for a long time they should consider it.
   It provides a *runtime agnostic* way of partially virtualizing /proc through
   a minimal multi-threaded fuse filesystem.
   These mocked files can be overmounted over their /proc counterparts in the
   container.
   https://github.com/lxc/lxcfs

For a thorough overview over what has changed please see:
https://discuss.linuxcontainers.org/t/lxc-3-0-0-has-been-released

Thank you all for packaging LXC, LXCFS, and LXD!
The LXC team

[1]: https://discuss.linuxcontainers.org/t/lxc-3-0-0-has-been-released
[2]: https://discuss.linuxcontainers.org/t/lxd-3-0-0-has-been-released
[3]: https://brauner.github.io/2018/02/28/lxc-includes-cgroup-pam-module.html
[4]: Legacy Key                           | New Key                       | Comments
     -------------------------------------|-------------------------------|---------
     lxc.aa_profile                       | lxc.apparmor.profile          |
     lxc.aa_allow_incomplete              | lxc.apparmor.allow_incomplete |
     lxc.console                          | lxc.console.path              |
     lxc.devttydir                        | lxc.tty.dir                   |
     lxc.haltsignal                       | lxc.signal.halt               |
     lxc.id_map                           | lxc.idmap                     |
     lxc.init_cmd                         | lxc.init.cmd                  |
     lxc.init_gid                         | lxc.init.gid                  |
     lxc.init_uid                         | lxc.init.uid                  |
     lxc.kmsg                             | -                             | removed
     lxc.limit                            | lxc.prlimit                   |
     lxc.logfile                          | lxc.log.file                  |
     lxc.loglevel                         | lxc.log.level                 |
     lxc.mount                            | lxc.mount.fstab               |
     lxc.network                          | lxc.net                       |
     lxc.network.                         | lxc.net.[i].                  |
     lxc.network.flags                    | lxc.net.[i].flags             |
     lxc.network.hwaddr                   | lxc.net.[i].hwaddr            |
     lxc.network.ipv4                     | lxc.net.[i].ipv4.address      |
     lxc.network.ipv4.gateway             | lxc.net.[i].ipv4.gateway      |
     lxc.network.ipv6                     | lxc.net.[i].ipv6.address      |
     lxc.network.ipv6.gateway             | lxc.net.[i].ipv6.gateway      |
     lxc.network.link                     | lxc.net.[i].link              |
     lxc.network.macvlan.mode             | lxc.net.[i].macvlan.mode      |
     lxc.network.mtu                      | lxc.net.[i].mtu               |
     lxc.network.name                     | lxc.net.[i].name              |
     lxc.network.script.down              | lxc.net.[i].script.down       |
     lxc.network.script.up                | lxc.net.[i].script.up         |
     lxc.network.type                     | lxc.net.[i].type              |
     lxc.network.veth.pair                | lxc.net.[i].veth.pair         |
     lxc.network.vlan.id                  | lxc.net.[i].vlan.id           |
     lxc.pivotdir                         | -                             | removed
     lxc.pts                              | lxc.pty.max                   |
     lxc.rebootsignal                     | lxc.signal.reboot             |
     lxc.rootfs                           | lxc.rootfs.path               |
     lxc.se_context                       | lxc.selinux.context           |
     lxc.seccomp                          | lxc.seccomp.profile           |
     lxc.stopsignal                       | lxc.signal.stop               |
     lxc.syslog                           | lxc.log.syslog                |
     lxc.tty                              | lxc.tty.max                   |
     lxc.utsname                          | lxc.uts.name                  |

[5]: https://github.com/lxc/distrobuilder
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180407/2d35428b/attachment.sig>


More information about the lxc-users mailing list