Weekly status for the week of 24th March to 30th March.

Introduction

The highlight of the past week in LXD is added support for BPF Token delegation inside containers. Several bugs were also fixed, further improving LXD’s stability. Last but not least, LXD UI received several new features, including SSH key management and security.csm configuration for instances and profiles.

Thanks to all contributors!

BPF token support

LXD now supports enabling BPF Token delegation for containers. This allows containerized applications to access BPF syscall commands like BPF_PROG_LOAD by using a BPF Token they can make from a mounted BPF file system (BPFFS), provided the kernel supports BPF Tokens (Linux ≥ 6.9). Configuration is customizable via instance options and allows to specify which commands, maps, programs, and attach types are available inside the container.

LXD documentation provides an example where a socket filter is configured using BPF Token delegation.

Documentation: Privilege delegation using BPF Token

Bug Fixes

• Fixed an issue where snapshots didn’t get profiles applied during instance copy and used creation-time profiles instead.

• Fixed an issue where updates to ceph.osd.pg_num were not applied to the actual storage subsystem. Also, ceph.cluster_name and ceph.osd.pool_name are now immutable after pool creation to prevent breakage.

• The admin group with admin permissions is now created on LXD install, simplifying UI onboarding by ensuring it’s always present.

• Disabled post-quantum curves for simplestream remotes to avoid ClientHello message splitting, which can trigger connection reset by peer errors when interacting with simplestream remotes, such as images: or ubuntu:. This is a temporary mitigation to workaround broken middleboxes breaking standard compliant TLS connections. For more information on this problem, please see tldr.fail.

• Fixed an issue where importing images smaller than 512B resulted in unwritable images. Image size is now rounded up to 512B.

• Fixed regression in nftables port range rule where a missing - broke the generated rules.

LXD UI

• Added SSH key management for instance and profile configurations.

• Enhanced the onboarding flow with a new user type that supports limited permissions.

• Introduced the security.csm configuration key for instance and profile configurations.

• Various fixes, including improved mouse position accuracy on smaller screens in the browser graphics console.

All changes

The items listed below is all of the work which happened over the past week and which will be included in the next release.

LXD

• Container: BPF token support
• lxd: Fix target profile on snapshot copy
• update: [WD-18946] storage-pool-docs-update
• Storage: Fix persisting Ceph RBD config
• create admin group with server admin permission on install
• doc: minor revisions to keycloak docs
• VM: Use full device name in qemu’s device_id
• doc: hard-code additional link titles
• feat(doc): add steps to verify lxd host support for vms
• build(deps): bump actions/setup-go from 5.3.0 to 5.4.0
• build(deps): bump actions/cache from 4.2.2 to 4.2.3
• build(deps): bump github/codeql-action from 3.28.11 to 3.28.12
• build(deps): bump actions/download-artifact from 4.1.9 to 4.2.1
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2
• build(deps): bump github.com/miekg/dns from 1.1.63 to 1.1.64
• build(deps): bump github.com/miekg/dns from 1.1.63 to 1.1.64
• build(deps): bump github.com/pkg/sftp from 1.13.7 to 1.13.8
• build(deps): bump google.golang.org/protobuf from 1.36.5 to 1.36.6
• build(deps): bump google.golang.org/protobuf from 1.36.5 to 1.36.6
• build(deps): bump github.com/miekg/dns from 1.1.63 to 1.1.64
• build(deps): bump actions/cache from 4.2.2 to 4.2.3
• build(deps): bump actions/setup-go from 5.3.0 to 5.4.0
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2
• build(deps): bump actions/download-artifact from 4.1.9 to 4.2.1
• build(deps): bump github/codeql-action from 3.28.11 to 3.28.12
• github: Update golangci-lint and migrate config to new format
• client/connection: use LegacyCurvesOnly for simplestreams connections
• Storage: Fix import of iso images smaller than 512B on ceph
• Backports (stable-5.21)
• github: add issue form and template configuration
• Firewall: Fix regression in nftables port range rules
• lint: Fix new warnings from switching to golangci-lint v2
• github: add feature request issue form
• doc: add localhost:8080 to linkcheck_ignore
• Small adjustments on top of BPF Token support PR
• meta/instance-types: drop now unused instance types
• doc: show annotations in microcloud docs integration
• Prepare for ubuntu-24.04 runners
• Lower log level of error messages when checking disk usage fails
• doc: Fix swagger definition for POST /1.0/auth/identities/tls

LXD UI

• Add ssh key configuration for instance edit WD-19727
• feat: [WD-19725] TLS Onboarding Refinement
• fix custom iso volumes in clusters
• Show warning on deleting the identity that is currently logged in
• Add security.csm configuration to profiles and instances
• Update vite and vitest
• Avoid infinite render loop on empty image list
• Detect custom image for operation relating to an image in a non-default project
• Snapshot fixes
• Use link instead of anchor to avoid full page load
• chore(deps): update dependency vanilla-framework to v4.22.0
• chore(deps): update dependency vite to v6.2.3 [security]
• feat(ssh) design fixes for ssh keys
• fix(instance) mouse position should be scaled if the guest os is not responsive
• chore(deps): update dependency @canonical/react-components to v2.2.0

LXD Charm

• Update charm libs
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2

LXD Terraform provider

• build(deps): bump github.com/hashicorp/terraform-plugin-testing from 1.11.0 to 1.12.0 in the hashicorp group
• Fix cluster tests and linter
• glangci-lint: Remove unnecessary exclusions

PyLXD

• build(deps): bump github/codeql-action from 3.28.11 to 3.28.12

LXD snap

• snapcraft/qemu: Add QEMU patches for better error handling
• lxd-qemu-snap: bump QEMU/virglrenderer versions
• daemon.start: drop broken code around /dev/pts handling
• Micro optimisations
• chore(deps): update actions/upload-artifact action to v4.6.2 - autoclosed
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2
• github: move renovate config and disable this bot
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2
• build(deps): bump actions/upload-artifact from 4.6.1 to 4.6.2
• lxd: Cherry-pick fixes (latest-candidate)
• lxd-ui: update 0.15.1 tag (5.21-candidate)
• zfs-2-3: new part for compat with 25.04 kernel
• zfs-2-3: new part for compat with 25.04 kernel (latest-candidate)
• zfs-2-3: new part for compat with 25.04 kernel (5.21-edge)
• lxd-ui: update 0.15.1 tag to include additional fixes (5.21-candidate)
• zfs-2-3: new part for compat with 25.04 kernel (5.21-candidate)