From 7d84131f63ee4510d4f3d6f93010937ae14d6876 Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi Date: Wed, 6 May 2026 22:02:18 +0900 Subject: [PATCH 1/2] Add Japanese release announcement of LXCFS 7.0 LTS Reviewed-by: Hiroaki Nakamura Signed-off-by: KATOH Yasufumi --- .../lxcfs-7-0-lts-has-been-released.yaml | 171 ++++++++++++++++++ 1 file changed, 171 insertions(+) create mode 100644 content/lxcfs/news.ja/lxcfs-7-0-lts-has-been-released.yaml diff --git a/content/lxcfs/news.ja/lxcfs-7-0-lts-has-been-released.yaml b/content/lxcfs/news.ja/lxcfs-7-0-lts-has-been-released.yaml new file mode 100644 index 00000000..08c5eb73 --- /dev/null +++ b/content/lxcfs/news.ja/lxcfs-7-0-lts-has-been-released.yaml @@ -0,0 +1,171 @@ +title: LXCFS 7.0 LTS リリースのお知らせ +date: 2026/04/29 00:04 +origin: https://discuss.linuxcontainers.org/t/lxcfs-7-0-lts-has-been-released/26607 +content: |- + # はじめに + + LXCFS チームが LXCFS 7.0 LTS のリリースをお知らせします! + + + このリリースは、LXCFS 6.0 のリリース以来 2 年の作業の成果であり、LXCFS プロジェクトにとって 7 番目の LTS リリースとなります。このリリースは 2031 年 6 月までサポートされます。 + + # ハイライト + ## PSI(Pressure Stall Information)のサポート + + LXCFS は次の /proc/pressure ファイルを仮想化するようになりました。 + + - /proc/pressure/cpu + - /proc/pressure/io + - /proc/pressure/memory + + ## zswap サポート + + LXCFS は、仮想化された /proc/meminfo に zswap メトリクスを公開するようになりました。 + + ## 廃止された機能 + + 今回のリリースで、次の機能のサポートが削除されます: + + - FUSE2 (以降、FUSE3 のみ) + - CGroup V1 (cgroup v2 単一階層構造のみ) + - 仮想 cgroup ツリー(cgroup namespace が広く利用可能) + + + しばらく前から、ほとんどの Linux ディストリビューションは cgroup v2 で動作しており、また通常は FUSE3 をデフォルトにしているため、実際には問題にならないはずです。 + + ## デフォルトで PIDFD を使用 + + 現在、カーネルが PIDFD をサポートしているという想定をしています。そして、LXCFS では PIDFD をデフォルトで使用します(以前は `--enable-pidfd` を指定していました)。 + + # すべての変更点(翻訳なし) + + [details="すべてのChangeLogを見る"] + - proc: checks system security policy before trying to get personalities + - lxcfs/bindings: Refactor RUNTIME_PATH so that it can be overridden on startup + - lxcfs/bindings: add a flag for overriding the runtime dir + - github: add lxcfs live upgrade compatibility test + - github: update coverity test to use Ubuntu 22.04 + - README.md: add info about how to collect a core dump + - github: add ISSUE_TEMPLATE.md + - github: add live upgrade test between stable-{5,6} branches + - Add missing linux/limits.h include + - lxcfs_read: Added LXCFS_TYPE macro to all FUSE filesystem calls + - lxcfs: fix readdir for procfs subtree + - tests: add proc readdir test + - cgroups/cgfsng: improve swap accounting support detection + - github: Bump Ubuntu version + - github: Simplify tests workflow + - github: Add arm64 tests + - tests: Make sure to enable cpuset controller + - github: Use shared logic + - github: Update coverity workflow + - github: Simplify build action + - github: Update checkout to v4 + - github: Cleanup testsuite action + - github: Improve progress reporting + - proc_fuse: add psi(pressure stall information) procfs + - meminfo: Add slab_reclaimable to MemAvailable + - tests/test-read: call close(2) only if there is an fd + - utils: fix wait_for_sock to use time_t instead of int + - cpuset_parse: make a check for an empty string in cpu_in_cpuset() + - utils: move strlcpy/strlcat helpers from cgroup_utils to utils + - lxcfs: use strlcpy when handle runtime-dir parameter + - proc_loadavg: Prevent integer overflow calculating the sleep interval + - github: Bump actions/checkout to v5 + - github: Use Github Arm runners + - proc_fuse: fix proc_stat_read reporting host cpu count under cgroup v2 + - cgroups: extract cgfsng_can_use_memory_feature() util function + - cgroups: add zswap feature detection + - lxcfs: add disable-zswap opt + - bindings: add zswap feature detection + - proc_fuse: add zswap information to /proc/meminfo + - cgroups: replace dup() call with openat_safe() + - lxcfs: use macro to generate liblxcfs call helpers + - src/utils: fix in_same_namespace helper + - proc_fuse: deduplicate read() handlers code for /proc/pressure files + - bindings: add private_data field to struct file_info + - lxcfs: wire up ->write callback for /proc + - lxcfs: wire up ->poll callback for /proc + - proc_fuse: move release/releasedir at the end + - lxcfs: install noop signal handler for SIGRTMIN + 0 + - proc_fuse: add /proc/pressure/{cpu, io, memory} virtualization + - meson: add "mocks" option for CI/testing purposes + - github: enable mocks for CI builds + - tests: add /proc/pressure/* virtualization tests + - lxcfs: add enable-psi-poll cmdline option + - cgroups/cgfsng: fix whitespace errors in __cg_mount_direct + - cgroups/cgfsng: do not change host-wide cgroup2 superblock options + - github: pass LIBFUSE env variable to upgrade tests + - github: enable mocks for CI upgrade tests + - meson: don't forget to set PSI trigger mocks for liblxcfstest + - cgroups/cgfsng: check memory allocation in add_hierarchy + - Fix issue where the pidfd_ functions are not detected during meson setup. + - lxcfs: fix "Write to cache was truncated" on long-running / high-core-count systems + - sysfs: fix duplicated /sys/devices/system/cpu/online + - lxcfs: add .clang-format + - CONTRIBUTING: add a note on AI generated code + - github: switch to libfuse3 and drop libfuse2 + - lxcfs: drop libfuse2 support + - lxcfs: remove libfuse2-specific code + - tests: remove cgroupfs-related tests + - lxcfs: remove cgroupfs support from hook + - lxcfs: remove --enable-cgroup option support + - lxcfs: nuke the cgroupfs code + - lxcfs: make --enable-pidfd a default + - Fix compiler warning. + - lxcfs: remove test_cgroup + - tests: remove test_readdir test + - cgroups: remove pure cgroup1 and hybrid support + - tests: remove cgroup1 support + - tests: extend meminfo hierarchy test + - tests: cleanup using shellcheck + - tests/meminfo_hierarchy: ensure that swap total size is correct + - tests: refactor meminfo_hierarchy test + - tests: add cpuset hierarchy test + - tests: add cpu cfs hierarchy test + - tests: use SIGTERM instead of SIGKILL + - github: add Codecov + - github: drop cgroup1 related stuff + - lxcfs: fix gettid on glibc < 2.30 + - tests: cover /proc/swaps in meminfo hierarchy test + - cpuset_parse: constify return value of cpuset_nexttok + - lxcfs: fix wrong cpu count when setting cfs in hierarchy + - chore: Remove manual cpu.max and TODO in test script + - Release LXCFS 7.0.0 + [/details] + + # サポートとアップグレード + + LXCFS 7.0 は 2031 年 6 月までサポートされる、現在の LTS リリースです。LXCFS 6.0 は、メンテナンスのペースが遅くなり、重要なバグ修正とセキュリティアップデートのみが提供されるようになります。 + + + すべての LXCFS ユーザーは、7.0 ブランチへのアップグレードを計画することを強くおすすめします。 + + # ダウンロード + + - リリース tarball : [lxcfs-7.0.0.tar.gz](https://linuxcontainers.org/downloads/lxcfs/lxcfs-7.0.0.tar.gz) + - GPG シグネチャー : [lxcfs-7.0.0.tar.gz.asc](https://linuxcontainers.org/downloads/lxcfs/lxcfs-7.0.0.tar.gz.asc) + + # コントリビューター + + LXCFS 7.0 は、合計 16 名のコントリビューターによってリリースされました。 From 7b2163a8946183f901c55a3e07e63f8fa8ae3a18 Mon Sep 17 00:00:00 2001 From: KATOH Yasufumi Date: Wed, 6 May 2026 22:46:23 +0900 Subject: [PATCH 2/2] Add Japanese release announcement of LXC 7.0 LTS Reviewed-by: Hiroaki Nakamura Signed-off-by: KATOH Yasufumi --- .../lxc-7-0-lts-has-been-released.yaml | 257 ++++++++++++++++++ 1 file changed, 257 insertions(+) create mode 100644 content/lxc/news.ja/lxc-7-0-lts-has-been-released.yaml diff --git a/content/lxc/news.ja/lxc-7-0-lts-has-been-released.yaml b/content/lxc/news.ja/lxc-7-0-lts-has-been-released.yaml new file mode 100644 index 00000000..a55f6ab5 --- /dev/null +++ b/content/lxc/news.ja/lxc-7-0-lts-has-been-released.yaml @@ -0,0 +1,257 @@ +title: LXC 7.0 LTS リリースのお知らせ +date: 2026/04/30 00:04 +origin: https://discuss.linuxcontainers.org/t/lxc-7-0-lts-has-been-released/26612 +content: |- + # はじめに + + LXC チームが LXC 7.0 LTS のリリースをお知らせします! + + + このリリースは、LXC 6.0 リリース以来 2 年の作業の成果です。そして、LXC プロジェクトにとって 7 回目の LTS リリースです。このリリースは 2031 年 6 月までサポートされます。 + + # セキュリティ + + このリリースでは、セキュリティの問題を 1 件修正しています: + + - [CVE-2026-39402 (lxc-user-nic における OVS ポート削除の認証バイパス)](https://github.com/lxc/lxc/security/advisories/GHSA-3m9j-g9gc-vcvq) + + # ハイライト + ## モニタープロセスの Landlock による保護 + + `landlock-monitor` を有効にしてビルドすると、LXC は Landlock を使用して、モニター API ハンドラーがシステム上で実行できる操作を制限するようになりました。これにより、ハンドラーは、コンテナとそのコンテナのファイルシステムのみとやりとりをするように制限されます。 + + ## フックと環境変数設定の分離 + + 新たな設定キーが 2 つ導入されました: + + - lxc.environment.hooks + - lxc.environment.runtime + + + これらを使うことで、フックに影響を与えることなく、一部の環境変数のみをコンテナに公開したり、その逆を行ったりできます。 + + ## 廃止された機能 + + このリリースでは次の機能が廃止されました: + + - CGroupV1 + - PIDFD をサポートしないカーネル + - 新しいマウント API をサポートしないカーネル + + # すべての変更点(翻訳なし) + + [details="すべてのChangeLogを見る"] + - meson: Set DEVEL flag post release + - meson: fix build on NixOS + - github: test the lxc multicall binary builds too + - lxc/network: handle non-existing sysctl /disable_ipv6 + - network: netdev_configure_server_veth: reduce scope of disable_ipv6_fd/path vars + - Update lxc-attach.sgml.in + - Update lxc-execute.sgml.in + - Update lxc-{attach,execute}.sgml.in + - Update lxc-execute.sgml.in + - lxc-local: fix use of `LXC_PATH` before init + - lxc-local: fix incorrect path to `templates` file + - lxc-local: remove check for template existence before extraction + - apparmor: fix rule path pattern specification syntax + - apparmor: regenerate rules + - apparmor: use /{,**} instead of /** + - apparmor: regenerate rules + - github: start using ubuntu-24.04 + - github: properly check apparmor profile changes + - lxc/storage/zfs: ignore false-positive use-after-free warning + - github: exclude clang & ubuntu-24.04 combination + - meson: fix build with -Dtools-multicall=true on NixOS + - Remove unused function + - idmap: Lower logging level of newXidmap tools to INFO + - Exit 0 when there's no error + - doc: Fix definitions of get_config_path and set_config_path + - README: Update security contact + - fix possible clang compile error in AARCH + - meson.build: add -ffat-lto-objects + - meson.build: drop suggest-attribute=noreturn build option + - Add suppport for PuzzleFS images in the oci template + - create_run_template: don't use txtuid and txtguid out of scope + - Avoid null pointer dereference when using shared rootfs. rootfs->storage not set by lxc_storage_prepare when using a shared rootfs. + - fix return code of recursive all of cgroup_tree_prune + - meson: fix minor typo + - lxc-net: Replace random IPv6 subnet + - lxccontainer: fix enter_net_ns helper to work when netns is inherited + - lxc.init: Switch to sigaction + - lxc.init: Ignore user signals coming from inside the contianer + - lxc.init: Allow SIGHUP from outside the container + - github: Update coverity workflow + - github: Introduce shared build logic + - github: Introduce shared testsuite logic + - github: Rework test workflow + - github: Cleanup OSS-fuzz + - github: Improve progress reporting + - - LXC attach should exit on SIGCHLD + - confile-vlanid: undefined is not a zero value + - conf: log name of invalid capability in error + - dbus: replace hardcoded dbus address with environment variable + - conf: warn when capabilities are disabled or libcap is not found + - lxc/attach: Revert "- LXC attach should exit on SIGCHLD" + - config-bcast: fix incorrect broadcast address calculation + - github: Switch to native arm64 runners + - Added LXC_IPV6_ENABLE option for lxc-net to enable or disable IPv6 + - sysconfig/lxc: remove false comment + - global: Switch MAC generation to Zabbly prefix + - global: Switch to new MAC prefix + - github: Add packaging workflow + - tools/lxc_attach: fix ENFORCE_MEMFD_REXEC checks + - lxc/conf: handle rootfs open_at error in lxc_mount_rootfs + - lxc/caps: fix open /proc/sys/kernel/cap_last_cap + - lxc/start: do prctl(PR_SET_DUMPABLE) after last uid/gid switch + - start: Re-introduce first SET_DUMPABLE call + - README: Remove mention of old LXC version + - bionic: Remove bionic detection and support + - bionic: Remove custom getline, openpty and prlimit + - meson_options.txt: don't use str when defining bool default values + - meson_options.txt: remove space before `:` for consistency + - selinux: fix typo (AppArmor) + - lxc/conf,start: fix setting container_ttys environment variable + - re-add onexec for apparmor, move label assumption until after container has been setup for attach + - apparmor test: add an overlay container start + - meson.build: remove quirk for Ubuntu 14.04 libcap-dev + - src/tests/lxc-test-apparmor-generated: enable test + - src/tests/lxc-test-apparmor-mount: prevent fail on cleanup path + - src/tests/lxc-test-unpriv: prevent fail on cleanup path + - conf: Add support for "move" mount flag + - lxc/conf: support nosymfollow mount flag + - lxc/conf: support flag kind of mount options in lxc.mount.entry options + - src/tests/oss-fuzz: pin meson to 1.7.2 to workaround build failures + - Revert "re-add onexec for apparmor, move label assumption until after container has been setup for attach" + - Add loong64 to list of recognized architectures + - meson.build: set `LXC_DISTRO_SYSCONF` when `-Dspecfile=true` + - meson.build: fix checks for fsconfig and calls + - meson.build: use has_header_symbol() instead of get_define() to improve compatibility + - lxc/process_utils.h: use strsignal() or sys_siglist[] for Non-GNU distros + - lxc/lxccontainer: stop printing misleading errors in enter_net_ns() + - tests/lxc-test-rootfs: add idmapped rootfs testcase + - tests/lxc-test-snapdeps: try to load overlay kernel module + - lxc/network: null-terminate ifname string in lxc_network_recv_name_and_ifindex_from_child() + - lxc/conf: do not leak opts.data memory in __lxc_idmapped_mounts_child() + - build(deps): bump actions/checkout from 4 to 5 + - README: Fix CI links + - Rename CONTRIBUTING to CONTRIBUTING.md + - README: update links + - commands: Fix indent + - meson: Add optional landlock protection for monitor + - start: Make lxc_handler mainloop to run in thread + - start: Add Landlock restrictions to monitor + - github: Enable landlock in tests + - conf: split `lxc.environment` into `runtime` and `hooks` + - api_extensions: add environment_runtime_hooks extension + - doc: add lxc.environment.{runtime, hooks} + - Enable systemd to create /var/lib/lxc at runtime with StateDirectory + - doc: add lxc.environment.{runtime,hooks} in Japanese man page + - Standardize log file create mode to 0640 + - lxccontainer: check if target exists before remove in create_mount_target() + - Automatically detect compression format in the lxc-local template + - start: Only include linux/landlock.h when landlock is enabled + - add MFD_EXEC and MFD_NOEXEC_SEAL flag to memfd_create + - github: Drop focal source packages + - builds workflow: make .orig.tar.gz unique per build + - build(deps): bump actions/upload-artifact from 4 to 5 + - config/apparmor/abstractions: Fix meson build generation of container-base + - config/apparmor/abstractions: Drop manually generated container-base file + - Update lxc.spec.in to use meson + - apparmor: skip /proc and /sys restrictions if nesting is enabled + - Ensure do_lxcapi_unfreeze returns false when getstate errors + - build(deps): bump actions/checkout from 5 to 6 + - build: Check if P_PIDFD is defined + - meson: add meson option for running doxygen in build + - Enumerated all values in array + - Initial changes without testing + - checkonfig: Fixed compatible with toybox/gunzip + - Fallback to XDG_RUNTIME_DIR when /run not found + - added "--rbduser" option in "lxc-create -B rbd" + - added doc for --rbduser + - Added documentation on unprivileged LXC containers + - build(deps): bump actions/upload-artifact from 5 to 6 + - start: Remove outdated comment about group dropping + - start: Respect lxc.init.groups also in new user namespace + - copy_rdepends: Don't fail on missing source file + - cgfsng: fix reboots when using dbus + - Improve the dbus scope creation error handling + - build: update Makefile and meson.build + - github: test io_uring-based event loop + - lxc/{terminal, file_utils}: ensure complete data writes in ptx/peer io handlers + - tests/lxc-attach: ensure no data corruption happens during heavy IO on pts + - src/confile: fix values of lxc.cap.keep and lxc.cap.drop + - lxc: added support OpenRC init system + - meson.build: fix openat2 include typo, fix with glibc-2.43 +FORTIFY + - meson.build: fix open_how include with glibc-2.43+ + - lxc/network: optimize netdev_get_mtu + - lxc/network: save/restore physical network interfaces altnames + - lxc/network: define netlink uAPI constants for link properties + - cmd/lxc-user-nic: prevent OOB read in name_is_in_groupnames + - Add description for unprivileged containers to Japanese man page + - Add --rbuser to Japanese lxc-create(1) + - build(deps): bump actions/upload-artifact from 6 to 7 + - utils: Add quotes around exec arguments + - utils: Update buffer size to account for quotes + - utils: Only single quote our own arguments + - Fix issue where pidfd_ functions were not being detected during meson setup. + - Fix issue where memfd functions were not being detected during meson setup. + - tests: mount_injection: ensure cleanup on test failure + - cgroups: Skip systemd dbus logic when not using systemd + - [nesting] Extend mount permissions in apparmor to allow systemd services' restrictions to work + - lxc/cgroups: drop cgroup1 freezer support + - lxc/cgroup: drop cgroup1 device cgroup support + - lxc/cgroups: drop special handling logic for cgroup1 cpuset controller + - lxc/cgroups: drop cgroup1 mounting logic + - lxc/conf: drop cgroup1 config options (lxc.cgroup.*) + - tests: use lxc.cgroup2 instead of lxc.cgroup + - config/templates: don't use cgroup1 settings + - lxc/cgroups: warn if non-unified cgroup layout detected + - doc: mention that legacy/hybrid hierarchy support is dropped + - lxc/start: assume CLONE_PIDFD and clone3 are supported + - lxc: assume fsopen/open_tree/mount_setattr syscalls are supported + - apparmor: allow nosymfollow remounts + - apparmor: allow nosymfollow remounts + - lsm/apparmor: allow binfmt_misc RW mounts + - tests/lxc-test-lxc-attach: Increase sleep time + - lvm.c: make sure tp gets freed + - Don't leak an open fd + - lxc-user-nic: clarify and fix + - usernic: add a test for ovs port deletion permission + [/details] + + # サポートとアップグレード + + LXC 7.0 は 2031 年 6 月までサポートされる、現在の LTS リリースです。LXC 6.0 は、メンテナンスのペースが遅くなり、重要なバグ修正とセキュリティアップデートのみが提供されるようになります。 + + + すべての LXC ユーザーは、7.0 ブランチへのアップグレードを計画することを強くおすすめします。 + + # ダウンロード + + - リリース tarball : [lxc-7.0.0.tar.gz](https://linuxcontainers.org/downloads/lxc/lxc-7.0.0.tar.gz) + - GPG シグネチャー : [lxc-7.0.0.tar.gz.asc](https://linuxcontainers.org/downloads/lxc/lxc-7.0.0.tar.gz.asc) + + # コントリビューター + + LXC 7.0 は、合計 46 名のコントリビューターによりリリースされました。