Weekly status for the week of 26th February to 3rd March.

Introduction

This past week saw progress with regards to the forthcoming fine grained authorization functionality with a set of new APIs being merged that allow management of identities, permissions and groups.

We also continue our work towards the next LTS release series by updating the minimum Go version and updating our documentation to cover the removal of supplementary tooling (such as lxd-benchmark and lxc-to-lxd) from the snap package.

Additionally the security.syscalls.(black|white)list keys that were considered offensive and have previously been deprecated since LXD 4.4 have now been removed entirely. The security.syscalls.(allow|deny)list keys should be used instead.

Bug fixes

• Fixed file handle to VM cloud-init config drive ISO being left open longer than needed which was preventing clean VM stop when using LVM storage driver and the cloud-init config drive.
• Updated error messaging containing message to deprecated feature ceph.osd.force_reuse.
• Fixed regression in error handling in OVN network peer creation after refactor to reduce number of transactions being opened.
• Fixed bug in storage volume management API endpoints to always check the requested project exists rather than passing it directly to the storage layer in order to ensure malicious project names are not used directly by the storage subsystem.

All changes

The items listed below is all of the work which happened over the past week and which will be included in the next release.

LXD

• Instance: Set migration.stateful=true be default when creating a new VM
• Auth: Authorization APIs
• Drop offending legacy config names for syscall filtering
• Prepare for lxd-benchmark to not be shipped in the snap
• build(deps): bump github.com/canonical/candid from 1.12.2 to 1.12.3
• DB: Fix query for profile URLs by project name.
• DB: Adds database representation of server, network_zone, and image_alias entity types.
• DB: Preemptively fix schema update unit test.
• CI improvements
• github: switch to canonical/has-signed-canonical-cla@main
• doc: remove old reference to liblxc 4.0.0 being supported
• lxd/apparmor/pyuefivars: allow reading bin/ directory
• Auth: Notify cluster members of new or updated OIDC identities
• test: Increase minio storage bucket test file size to 5MB
• Auth: Correctly return authentication error.
• gomod: Update dependencies and switch minimum version to go 1.21
• doc/instances: clarify how to override device options during creation
• doc/api: pin Swagger version
• lxd/db: Don’t propagate expected errors
• Set minimum Go version to 1.21.5 to accomodate forthcoming openga package
• DB: Clarify entity URL to ID SQL queries.
• VM: Don’t leak file descriptor when probing for Direct I/O support
• DB: Add columns to identities table for auditing.
• Storage: Pass custom storage volume snapshots in the right order
• Auth: Set OIDC relying party HTTP client to comply with proxy configuration.
• API: Change authorization_apis extension name to access_management.
• doc/howto/migrate_from_lxc: 5.0 is the last LTS release shipping lxd.lxc-to-lxd
• github: don’t test against go-tip on push events
• VM: Don’t leak file descriptor when probing for Direct I/O support (stable-5.0)
• DB: Fix query for storage volume snaphot
• Images: Fix potential race condition, improve error message and context support
• API: Ensure request project name isn’t passed to storage layer directly
• Storage: remove reference to “ceph.osd.force_reuse”

LXD Charm

• github: add pip management to dependabot

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXD as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week.

Snap

LXD snap

• Drop lxc-to-lxd binary from the snap
• github: Use go 1.22
• lxd: Cherry-pick upstream bugfixes (5.0-candidate)
• Revert “Revert “snapcraft: have dqlite build raft””
• Drop lxd-benchmark from the snap
• lxd: Cherry-pick upstream bugfixes (5.0-candidate)
• Fallback to directly symlinking from MicroOVN
• Sync from latest/edge (latest-candidate)