Weekly status for the week of 14th October to 20th October.
Introduction
In the past week, LXD received several bug fixes. The highlight is a new feature that allows creating fine-grained TLS identities. The LXD UI also received a major design improvement with revamped navigation and empty state icons.
Thanks to all the contributors!
Creation of TLS identites
LXD now supports creating fine-grained TLS identities to restrict granular actions on specific LXD resources. For example, TLS identities can now be used to restrict an user to view, but not edit, a single instance.
Below is an example of how to add a new TLS identity.
# On the server, create new TLS identity which generates a trust token
# that can be used to add a client certificate.
$ lxc auth identity create tls/myclient
TLS identity "tls/myclient" (223ff2bd-39e6-4721-927c-6f07e4784be2) pending identity token:
<token>
# On the client, add the remote using the generated token.
$ lxc remote add <remote_name> <token>
# On the server, confirm the identity is no-longer in the pending state.
$ lxc auth identity list
+-----------------------+--------------------+----------+------------+--------+
| AUTHENTICATION METHOD | TYPE | NAME | IDENTIFIER | GROUPS |
+-----------------------+--------------------+----------+------------+--------+
| tls | Client certificate | myclient | f73ff01... | |
+-----------------------+--------------------+----------+------------+--------+
Similar to OIDC identities, TLS identities can be added to groups, which allow configuring permissions for granular actions on specific LXD resources. To demonstrate, let’s create a new group mygroup, add previously created TLS identity into it, and restrict its access to viewing a single instance named c1 in project default.
# Create a new group.
lxc auth group create mygroup
# Add prevously created TLS identity to the group.
lxc auth identity group add tls/<identifier> mygroup
# Restrict group permission to view, but not edit, an instance named "c1"
# in project "default".
lxc auth group permission add mygroup instance c1 can_view project=default
Documentation: How to expose LXD to the network - Authenticate with the LXD server and Remote API authorization - Fine-grained authorization
Bugfixes
- Fixed an issue where remote server certificate was accepted without validation when adding a remote server in
lxcusing a trust token and--accept-certificateflag. Now, the certificate fingerprint from the trust token is always used to validate the remote server certificate, and--accept-certificateflag can no longer be used when trust token is provided. - Fixed an issue where a bridge network with a specified VLAN ID could not be used as the uplink for an OVN network.
- Improved network allocations view to show the network each allocation belongs to.
- Fixed an issue where LXD agent showed redundant API metrics entries.
- LXD now allows IPv6 subnet to be smaller than
/64when stateful DHCPv6 is enabled, or when DHCP is completely disabled. - Fixed an issue where multicast traffic was masqueraded even when it remained within the same network.
LXD UI
The semiotics of the LXD UI interface have been improved with revamped navigation and empty state icons. A new chip-style design now represents entities across overview pages, notifications, and other sections. These chips reuse familiar navigation icons to indicate entity types, making navigation more intuitive and helping users form a clearer mental model of entity relationships within LXD.
All changes
The items listed below is all of the work which happened over the past week and which will be included in the next release.
LXD
- lxc: Prevent accept-certificate flag when using trust token
- Rework remote add token usage with
--accept-certificate - Network: Add support for OVN uplink networks attached to a VLAN
- Auth: Creation of fine-grained TLS identites
- OVN external addresses on
lxc network list-allocations - Define endpoint entity type explicitly
- Backports (stable-5.21)
- Backports (stable-5.0)
- build(deps): bump github.com/openfga/openfga from 1.6.1 to 1.6.2
- gomod: Update deps
- build(deps): bump actions/upload-artifact from 4.4.2 to 4.4.3
- Improve API metrics logging
- lxd/network: IPv6 CIDR size checks fixes
- Firewall: Don’t masquerade multicast traffic
- github: move make doc-linkcheck back to doc
- Makefile: stop testing with flake8 during static-analysis
- Backports (stable-5.21)
- Network: Allow OVN subnets smaller than /64 when stateful DHCPv6 is enabled
- Makefile: opportunistically run yamllint against GH workflows
lxc storage volume copy/moveshell completion fixes- doc: fix minor typos
- github: use shorter job names for Trivy scanning
- doc: embed discourse post title as link text
- api: Add network_ovn_uplink_vlan API extension
- Backports (stable-5.21)
- Backports (stable-5.0)
- Networt: Fix incorrect handling of instances in UsedByInstanceDevices
- Backports (stable-5.0)
- Fix profile typo
LXD UI
- feat: improve permission selector [WD-15106]
- feat: apply resource link and label components to notifications [WD-15624]
- chore(deps): update dependency vanilla-framework to v4.17.1
- fix: un-select items when closing permission side panels
- feat: Add resource link and label components [WD-15623]
- Prevent local volume attach to instances on another cluster member
- Remove project parameter from storage pool api
- feat: semiotics update overview pages [WD-15624]
- feat: general semiotics improvements [WD-15264]
- feat(security) add trivy scan
- fix: don’t wait for slow page load network events in e2e
LXD Charm
- Nothing to report this week
LXD Terraform provider
- Nothing to report this week
PyLXD
- Nothing to report this week
Distribution work
This section is used to track the work done in downstream Linux distributions to ship the latest LXD as well as work to get various software to work properly inside containers.
Ubuntu
- Nothing to report this week.