Weekly status for the week of 27th January to 2nd February.

Introduction

This past week, LXD received several new features, including improved profile listing with customizable columns and support for fetching profiles across all projects. Additionally, the maximum number of uplink IPs consumed by OVN networks can now be limited on a per-uplink network basis within a project.

Thanks to all the contributors!

Return entitlements as part of LXD entities

When querying /1.0/auth/identities/current the response now contains fine_grained field indicating whether the current identity interacting with the LXD API is fine-grained. This means that associated permissions are managed via group membership.

Additionally LXD entities can now be returned with an access_entitlements field if the current identity is fine-grained and the request to fetch the LXD entities has the with-access-entitlements=<comma_separated_list_of_candidate_entitlements> query parameter.

This allows for seeing what additional entitlements the requesting user has on the entities being listed. This feature is intended to improve the user experience in the LXD UI once support for it lands there soon.

Example:

lxc project create test-project
lxc auth group permission add test-group project test-project can_view
lxc auth group permission add test-group project test-project can_edit
lxc auth group permission add test-group project test-project can_delete

# Get the project with its entitlements providing a list of
# candidate entitlements we'd like to check
lxc query "oidc:/1.0/projects/test-project&with-access-entitlements=can_view,can_edit,can_delete"
{
        "access_entitlements": ["can_delete","can_edit","can_view"],
        "config": { ... },
        "description": "Default LXD project",
        "name": "default",
        "used_by": [ ... ]
}

Per-network project uplink IP limits

Added a new project limit that restricts the maximum number of uplink IPs allowed for a specific network within a project.

lxc project set <project> limits.network.uplink_ips.ipv{4,6}.<network> <max>

# Example:
lxc project set my-project limits.network.uplink_ips.ipv4.lxdbr 5

Documentation: Reference - Project limits

List profiles in all-projects and with selected columns (from Incus)

Added support for listing profiles across all projects using --all-projects flag.

lxc profile list --all-projects

Additionally, only specific columns can be displayed when listing profiles using --columns flag.

# Column shorthand chars:
#   n - Profile Name
#   d - Description
#   u - Used By
lxc profile list --columns ndu

LXD UI

A community request brought the idea to add the memory and disk consumption graphs and information directly to the instance list. As this data is rather heavy to fetch, we decided to have the two columns available as opt-in via the table configuration toggle and avoid enabling them by default. At the same time we started to distinguish memory usage into cached memory, which is shown in lighter colour than the used memory.

Bug Fixes

• Fixed an issue where backup name validation was not always enforced, allowing usage of disallowed substrings such as /, and ...

• Storage information now always displays a size of 0 for unbound volumes.

• Added CLI auto-completion for cluster member configuration keys.

• Fixed an issue where the CDI devices were not properly cleaned up on start which prevented containers with CDI GPU from starting after forceful host shutdown.

• Fixed an issue where LXD relied on optional field verification_uri_complete to be returned from the authorization server. LXD now falls back to verification_uri if verification_uri_complete is not provided.

All changes

The items listed below is all of the work which happened over the past week and which will be included in the next release.

LXD

• Per-project uplink IP quotas
• Storage: Add NVMe and SDC storage connectors
• auth: Add entitlements to LXD entities (part 2: Enrich LXD resources with entitlements)
• Storage: Use zero for unbound volumes’ total size on the API
• client: Fall back to OIDC verification_uri
• cloud-init: Address cloud-init misconceptions
• build(deps): bump github.com/miekg/dns from 1.1.62 to 1.1.63
• build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.4
• build(deps): bump github.com/miekg/dns from 1.1.62 to 1.1.63
• build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.4
• build(deps): bump github.com/NVIDIA/nvidia-container-toolkit from 1.17.3 to 1.17.4
• build(deps): bump github/codeql-action from 3.28.1 to 3.28.5
• build(deps): bump actions/setup-go from 5.2.0 to 5.3.0
• build(deps): bump google.golang.org/protobuf from 1.36.3 to 1.36.4
• build(deps): bump github.com/NVIDIA/nvidia-container-toolkit from 1.17.3 to 1.17.4
• build(deps): bump github.com/miekg/dns from 1.1.62 to 1.1.63
• build(deps): bump github/codeql-action from 3.28.1 to 3.28.5
• build(deps): bump actions/setup-go from 5.2.0 to 5.3.0
• Storage: PowerFlex fixes and improvements
• shared/util: set the path variable provided to the editor
• Projects: Deny restricting a project that is using a forbidden uplink
• Properly mark functions/fields as deprecated
• doc: add live-migration info, command syntax, misc improvements
• OIDC: Use proxy enabled HTTP client for relying party remote key set
• doc: doc: Fix typo in cloud-init docs
• Project: Pass context to database querying functions
• Documentation: Add missing swtpm package to installing from source section
• API: Add all projects support for profiles (from Incus)
• doc: revise/replace where VMs described as less featureful than containers
• doc: improve network forward docs pt1
• lxd: Entitlement enrichment for remaining API entities
• Storage: Remove context timeout upper limit in connectors utils
• doc(instance) fix cluster.evacuate doc block to avoid newlines in the generated metadata api response
• doc: increase linkcheck max rate limit timeout and retries
• doc: remove unsupported proxy connection types and improve wording
• CLI: Cluster member config key completions
• Backup: Add consistent name validation
• Device: Allow containers with CDI GPU to be restarted even after abrupt host shutdown

LXD UI

• feat: [WD-18264] CMS fields for storage pool source
• chore(deps): update dependency vanilla-framework to v4.20.2
• Show line and … for an ovn network that has an uplink with parent next to it to indicate further level of detail
• Show cpu and disk usage in instance list. distinguish memory cached and used
• Close side panel if panel instance was deleted
• chore(deps): update dependency vanilla-framework to v4.20.3
• Add cluster.evacuate as instance and profile configuration

LXD Charm

• lib: update grafana_dashboard

LXD Terraform provider

• build(deps): bump github.com/hashicorp/terraform-plugin-go from 0.25.0 to 0.26.0 in the hashicorp group

PyLXD

• build(deps): bump github/codeql-action from 3.28.1 to 3.28.5

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXD as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week.

LXD snap

• Switch to core24 and update to LXD pre-6.3 (latest-candidate)
• Depend on snapd 2.64 to allow removal of self-managed cgroup workaround
• Revert to requiring old snapd and reintroduce workaround for core24
• lxd-ui: build with node snap from 22/stable channel (latest LTS)