Category Archives: Zabbly

The facts

As of earlier today, right before the release of LXD 5.20, Canonical made a couple of changes to LXD which are sure to have a serious impact to LXD users and downstream projects that integrate with LXD or provide solutions based on it.

The first is the re-licensing of LXD from the Apache 2.0 license to the AGPLv3 license.
This happened in: https://github.com/canonical/lxd/pull/12663

The second is the addition of the Canonical CLA as requirement for all further contributions.
This happened in: https://github.com/canonical/lxd/pull/12665

Disclaimer

What’s below is my personal analysis of the situation, it is not legal advice, anyone affected is very strongly encouraged to seek proper legal advice from their counsel.

Real license of LXD

Per the commit message performing the re-licensing, all further contributions will be under the AGPLv3 license and all contributions from Canonical employees have been re-licensed to AGPLv3.

However, Canonical does not own the copyright on any contribution from non-employees, such as the many changes they have imported from Incus over the past few months. Those therefore remain under the Apache 2.0 license that they were contributed under.

As a result, LXD is now under a weird mix of Apache 2.0 and AGPLv3 with no clear metadata indicating what file or what part of each file is under one license or the other.

This is likely to make it very “fun” for anyone performing licensing reviews to evaluate LXD for adoption in their environment.

Impact to LXD users

For LXD users, other than potentially triggering corporate policies that ban the use of AGPLv3 software (more common than one may think), the impact should be minimal. It’s still the same LXD and it’s still open source software.

However, if you were altering LXD in any way, then you will need to familiarize yourself with the AGPLv3 license as unlike Apache 2.0, it does require any changes be made available under the AGPLv3 even if you don’t expose your users to your modified binaries. This is the main design characteristics of the AGPLv3 license, it was meant to force those operating modified versions of open source as a hosted service to share their modifications.

Impact to downstreams (consumer of LXD Go packages)

Up until now, all the Go packages of LXD were under the Apache 2.0 license, that was fitting quite well in the Go ecosystem where the Apache 2.0, BSDs and MIT licenses are very popular.

Now with this change, you need to realize that you may start to include/bundle AGPLv3 code within your own project. This a copyleft license and so may require re-licensing of your own project to comply with it.

Again, this is quite the can of worms, with my usual recommendation being “stay away”, but if you must use any of LXD’s Go packages, I’d strongly recommend talking to a lawyer to fully understand your exposure to that new license.

Impact on Incus

Now for what obviously impacts me the most, what this is going to do to Incus.

As a brief reminder Incus is a fork of LXD which was started in August 2023.
So far, it’s been tracking LXD changes, applying those that make sense and otherwise fixing bugs and making improvements of its own, as most forks do.

This change from Canonical is going to be causing two unfortunate side effects:

• Incus will no longer be including changes originating from LXD as that would require us to include AGPLv3 code into our codebase and so get us into the same mixed license mess as LXD now put itself. This is obviously unacceptable to us, we very much like licensing clarity and quite enjoy the Apache 2.0 license.
• LXD will similarly no longer be able to take changes from Incus, as those are going to remain under the Apache 2.0 license and more importantly, will not have been released under the Canonical CLA.

To enforce that second part, the tooling we’ve been using thus far to monitor LXD changes and automatically backport them to Incus will be used to detect any changes to LXD which originated from Incus. Unless the author gave express consent for them to be released under a different license and under the Canonical CLA, those changes should not be included in LXD.

Incus is also a consumer of the LXD Go API in the lxd-to-incus tool. Thankfully, we have no need for anything recent in there, so will simply be making sure that we never import code past the licensing change.

Conclusion

Overall, I’m very disappointed, although absolutely not surprised in seeing this change happen.
It’s certainly going to be quite annoying for Incus, and I suspect this is the whole point of it.

But it’s also a very odd move by Canonical as it puts LXD into a problematic grey area as far as its true license is concerned which will likely seriously hurt its adoption both by companies and distributions.

In any case, I’d urge anyone who has concerns about this change to reach out to their legal representation and maybe consider switching over to Incus where we will happily keep releasing our CLA-free Apache 2.0 licensed fork of this once great project.

Update (2023/12/12)

I’ve seen a number of people point out that Apache 2.0 is compatible with the AGPLv3 and that’s certainly correct, however compatibility doesn’t mean that the code in question suddenly becomes AGPLv3, it means that it can be included in an AGPLv3 project. So I’d still expect there to be good tracking of the license of the individual files / code chunks so that someone can tell whether a particular piece of code is AGPLv3 or Apache 2.0, this is currently not possible.

The code mentions headers (probably SPDX) to be present whenever code isn’t AGPLv3, but no such headers were introduced at time of writing.

The announcement also very specifically spells out that past contributions are not being re-licensed and therefore remain under the Apache 2.0 license, though again, there is currently no way to identify what contributions that is. So this still leads to LXD now being a mix of AGPLv3 and Apache 2.0 with no way to figure out which is which.

All that’s known for sure is that all new contributions are to be under AGPLv3 and must be from copyright holders (author or employer) who has signed the Canonical CLA. Those two will preclude the inclusion of any Incus code in LXD moving forward.

Update (2023/12/14)

Canonical now seems to be trying to get around the fact that Incus isn’t AGPLv3 by marking the code they import from us as Apache 2.0 in the commit message. While this is definitely fine from a licensing standpoint given the compatibility between AGPLv3 and Apache 2.0 license, it still violates their requirement that all new contributions be under the Canonical CLA.

Another month, another Incus release!
Incus 0.3 is now out, featuring OpenFGA support, a lot of improvements to our migration tool and support for hot-plug/hot-remove of shared paths in virtual machines.

The full announcement and changelog can be found here.
And for those who prefer videos, here’s the release overview video:

Finally just a quick reminder that my company is now offering commercial support on Incus, ranging from by-the-hour support contracts to one-off services on things like initial migration from LXD, review of your deployment to squeeze the most out of Incus or even feature sponsorship.
You’ll find all details of that here: https://zabbly.com/incus

Donations towards my work on this and other open source projects is also always appreciated, you can find me on Github Sponsors, Patreon and Ko-fi.

Introduction

For anyone who hasn’t seen it before, you can try the Incus container and virtual machine manager online by just heading to our website and starting a demo session.

This gets you a dedicated VM on an Incus cluster with a bunch of resources and with a 30min time limit so you can either poke around for yourself or go through our guided showcase.

Now as neat as this is, it’s nothing new and we’ve been offering this for quite a while.

What’s new is that “Try a Web UI” link you can see alongside the console timer, click it and you’ll be getting into a web app that lets you play with the same temporary Incus server as the regular text demo.

What web UI?

Unlike LXD, Incus doesn’t have an official web UI. Instead, it just serves whatever web UI you want.

That means that getting a stateless (javascript + html only) web UI is as simple as unpacking a bunch of files in /opt/incus/ui/ and then accessing Incus from a web browser. For more complex, stateful web UIs (those using dynamic server-side languages or an external database), a simple index.html file can be dropped into /opt/incus/ui/ to then redirect the user to the correct web server.

In a recent livestream, I spent a bit of time packaging the Canonical LXD UI in my Incus package repository so that it’s now as simple as apt install incus-ui-canonical to get that one up and running.

Part of that work was to also do some minimal re-branding, changing some links and updating the list of config options so it matches Incus. That’s handled as a series of patches that are applied during the package build.

How does it all work?

Now to get this available for anyone as part of the online demo service, some work had to be done!

The first part was the easy one, simply get the incus-ui-canonical package installed in our demo image. Those images are generated through a simple shell script, building a new base image every day.

With the package present and Incus configured to listen on the network, the next step was to add a bunch of logic to the incus-demo-server codebase. Each demo session is identified by a UUID. You can see that UUID in the URL whenever you start a demo session.

When a new session is created, a database record is made which amongst other things records the IPv6 address of the instance. Until now, this wasn’t really used other than for debugging purposes.

Now the easy approach would have been to just provide the IPv6 address to the end user and so long as they have IPv6 connectivity, they could just access the web UI directly. There are a few problems with that approach though:

• Adoption rate for IPv6 is only slightly above 50% when looking at Incus users
• The target web server (Incus) doesn’t have a valid TLS certificate
• Authentication in the web UI requires a client certificate in the user’s browser

This would have made for a very high bar for anyone to try the UI, something better was needed. And so that’s where the idea of having incus-demo-server act as a SNI-aware proxy came about.

The setup basically looks like:

• User hits https://<UUID>.incus-demo-linuxcontainers.org
• Wildcard DNS record catches *.incus-demo.linuxcontainers.org and sends to HAProxy
• HAProxy uses a valid Let’s Encrypt wildcard certificate to answer
• HAProxy forwards the traffic to incus-demo-server on a dedicated port, keeping the SNI (Server Name Indication) value
• incus-demo-server inspects the SNI value, extracts the instance UUID and gets the target IPv6 address from its database
• incus-demo-server forwards the traffic to the Incus server running in the instance, using its own TLS client certificate for that connection

This results in the end user being able to access the web UI in their temporary instance with a valid HTTPS certificate and without needing to worry about authentication at all.

You can find the incus-demo-server side of this logic here.

Conclusion

I believe this turned out to be a very elegant trick, making things as easy as humanly possible for anyone to try Incus, letting them mix and match using the CLI or using a web UI.

As mentioned, there is no such thing as an official web UI with Incus, so we’re looking forward to getting some more of the alternative web UIs packaged and will be looking at ways to offer them up on the demo service too, likely by having the user install whichever one they want through the terminal.

Introduction

A year ago today, my girlfriend and I (along with our cat), moved into our new house. It’s a pretty modern house, on a 1.5 acres (~6000 sqm) piece of forested land and even includes an old maple shack!

Fully moving all our stuff from our previous house in Montreal took quite some time, but we got it all done and sold the Montreal house at the end of July.

The new house has 4 bedrooms and 2 bathrooms upstairs, a massive open space for living room, dining room and kitchen on the main floor along with a mudroom, washroom and pantry, then on the lower level, we got a large two car garage, mechanical room and another small storage room.

That’s significantly larger than what we had back at the old house and that’s ignoring the much larger outside space which includes a large deck, the aforementioned maple shack, a swimming pool, chicken coop and a lot of trees!

Home automation platform

Now, being the geek that I am, I’ve always had an interest in home automation, though I also have developed quite an allergy to anything relying on cloud services and so focus on technologies that can work completely offline.

These days, it means running a moderately complex installation of Home Assistant, along with Mosquitto for all the MQTT integrations, MediaMTX to manage camera feeds and Frigate to analyze and record all the video footage.

Obviously, all of the software components run in Incus containers with some nested Docker containers for the software components handling my Z-Wave, Zigbee and 433Mhz radios.

Networking

On the networking side, the new house is getting 3Gbs symmetric fiber Internet along with a backup 100Mbps/30Mbps HFC link. Both of those are then connected back to my datacenter infrastructure over Wireguard, letting me use BGP with my public IP allocation and ASN at home too.

I used the opportunity of setting up a new house to go for a decent amount of future proofing, by which I mean, building an overkill network… I installed a fiber patching box which gets the main internet fiber along with two pairs of singlemode fiber to each of the switches around the property, two outside and four inside the house. The fiber patching box then uses a pair of MTP fibers to carry all 24 or so fibers to the core switch over just two cables. Each switch gets a bonded 2x10Gbps link back to the core switch, so suffice to say, I’m not going to have a client saturate a link anytime soon!

All the switches are Mikrotik, with the core being a CRS326-24S+2Q+RM and the edge switches being a mix of netPower 16P and CRS326-24G-2S+RM depending on whether PoE is needed. I’m sticking to their RouterOS products as that then lets me handle configuration and backups through Ansible.

The wifi is a total of 7 Ubiquiti 6 APs, 3 U6-LR for the inside and 4 U6-Lite for the outside.

On the logical side of things, I’ve got separate VLANs and SSIDs for trusted clients, untrusted clients, IoT sensors and IoT cameras. With the last two of those getting no external access whatsoever.

This allows me to use just about any random brand camera or IoT device without fear of them dialing back home with all my data. The only real requirement for cameras is that they give me RTSP/RTMP.

Hardware

Now on the more home automation hardware side of things. As mentioned above, my home assistant setup can handle devices connected over Z-Wave, Zigbee, 433Mhz or accessible over the internal network.

In general, I’m a big proponent of having home automation be there to help those living in the house, it should never get in the way of normal interactions with the house. This mostly means, that every light switch is expected to function as a light switch, same goes for thermostats or anything else that’s visible to someone living in the space.

Here is an overview of what I ended up going with:

• Light switches (with neutral): Zooz ZEN77 dimmers (Z-Wave)
• Light switches (without neutral): Innoveli Blue Series dimmer (Zigbee)
• Baseboard thermostats: Stelpro STZW402WBPLUS (Z-Wave)
• Garage ceiling heater thermostat: Centralite 3000-W (Zigbee)
• Bathroom floor thermostat: Sinopé TH13000ZB (Zigbee)
• Concrete slab thermostat: Sinopé TH14000ZB (Zigbee)
• Pool pump control (smart switch): Zooz ZEN05 (Z-Wave)
• Pool heater control: Sinopé RM3250ZB (Zigbee)
• Door locks: Yale YRD156 (Z-Wave)
• Power panel metering: Aeon Labs ZW095 (Z-Wave)
• Air quality sensors: TuYA TS0601 (Zigbee)
• Door sensors: Third Reality 3RDS17BZ (Zigbee)
• Small appliance control: Sonoff S31ZB (Zigbee)
• Leak detectors: Third Reality 3RWS18BZ (Zigbee)
• Outdoor light sensors: Xiaomi GZCGQ11LM (Zigbee)
• Fridge and freezer sensors: AcuRite 06044M (433Mhz)
• Pool temperature sensor: InkBird IBS-P01R (433Mhz)
• Outdoor air temperature/humidity sensor: Hama Weather station (433Mhz)
• Outdoor rain meter: AcuRite 00899 (433Mhz)
• Vaccum cleaner: Roomba 960 (wifi)
• Car charger: OpenEVSE (wifi)
• Custom meters & controllers: ESP8266 boards (wifi)
• AC and fan control: Bestcon RM4C Mini (wifi)
• Indoor wireless cameras: Sonoff 1080P (wifi)
• Indoor wired cameras: Reolink ‎RLC-520A (PoE)
• Outdoor IR cameras: CTVISION 5MP, Reolink 5MP, Reolink 4K, Veezoom 5MP (PoE)
• Outdoor non-IR cameras: Revotech Mini Camera (PoE)
• Cat feeder: Aqara Smart Pet Feeder C1 (Zigbee)
• Sound system: Sonos Arc & IKEA Symfonisk (wifi)

Note that this isn’t necessarily an endorsement for any of those products 🙂
For example, the cameras, I’ve been going through a variety of manufacturer, some more reliable than others, especially when it comes to water ingress…

Automation

All of those in Home Assistant allows for some pretty good automation, things like getting notified of the mail box being open, along with a photo of whoever was there at the time. Same goes for the immediate perimeter of the house when we’re not there, useful to monitor deliveries. It also is used to keep the house at a comfortable temperature year round without needlessly wasting energy heating unused rooms.

Our chicken coop is also fully automated, opening automatically in the morning, closing at night, sending a photo to confirm that the chicken is back in and keeping the chicken inside when it’s too cold outside, also turning on heat to the water dispenser to avoid it freezing over.

The swimming pool equipment that came with the house also didn’t allow any real automation, instead, we’re relying on relays/smart plugs to control it. The pool temperature sensor combined with the big relay controlling the thermopump allows for home assistant to act as a thermostat for the pool.
The smart plug controlling the pump allows for quite some energy savings by only filtering the pool for as long as is needed (based on usage and temperature).

And probably the most useful of all from a financial standpoint, support for automatically handling peak periods with the utility, during which time they credit money for any kWh of power saved compared to the same period of the previous days. Home assistant can simply pre-heat the house a bit ahead of time and then turn off just about anything for the peak period. Keeps things perfectly livable and saves a fair amount of money by the end of the season!

What’s next

In general, I’m very happy with how things stand now.

There are really only two things which aren’t controllable yet and which would be useful to be able to control, especially when the utility provides incentive to reduce power consumption. That’s the water heater and the air exchanger. For the water heater, Sinopé makes the perfect controller for it, just waiting for it to be more readily available. For the air exchanger, I’m yet to decide between trying to reverse engineer the control signal with an ESP8266 or going the lazy route and just use a controllable outlet and leave it in the same mode forever.

We’ve been getting a few power cuts and despite having 6U worth of UPS for my servers and the core network, it’s annoying to have the rest of the house lose power. To fix that, we got a second electrical panel installed for the critical loads which will hopefully soon be fed by a battery system.

Over the next year, I also expect the maple shack to get brought to a more livable state, with the current plan to relocate the servers and part of my office down to it. This will involve a fair bit of construction as well as running fiber and a beefier power cable down there but would provide for good home/work separation while still not having to drive anywhere 🙂