Weekly status for the week of 4th March to 10th March.
Introduction
This past week we two roadmap features; fine grained authorization for OIDC users and support for optimized refresh for Ceph RBD block volumes as well as many improvements in our progress towards the LXD 5.21.0 LTS release.
Fine grained authorization for OIDC users
As part of our ongoing work to modernise LXD’s identity and access management mechanisms, we have now added support for fine-grained authorization for OIDC authenticated users. It is now possible to define and restrict granular actions on specific LXD resources. For example, one could restrict a user to be able to view, but not edit, a single instance.
Users, groups and their permissions can now be managed using the the new lxc auth
command (and associated APIs).
Important:
Prior to the addition of this extension, all OIDC clients were given full access to LXD (equivalent to Unix socket access). This extension revokes access to all OIDC clients. To regain access, a user must:
- Make a call to the OIDC enabled LXD remote (e.g.
lxc info
) to ensure that their OIDC identity is added to the LXD database. - Create a group:
lxc auth group create <group_name>
- Grant the group a suitable permission. As all OIDC clients prior to this extension have had full access to LXD, the corresponding permission is
admin
onserver
. To grant this permission to your group, run:lxc auth group permission add <group_name> server admin
- Add themselves to the group. To do this, run:
lxc auth identity group add oidc/<email_address> <group_name>
Steps 2 to 4 above cannot be performed via OIDC authentication (because access has been revoked). They must be performed by a sufficiently privileged user, either via Unix socket or unrestricted TLS client certificate.
Documentation: Remote API authorization
Optimized block volume refresh for Ceph RBD
Previously when transferring a block volume to another pool or host the initial transfer was done using the efficient rbd export-diff
tool but subsequent refreshes were performed using a full block copy of all changed snapshots and the main volume itself. This was slow and inefficient.
Now a new migration extension has been added called RBD_AND_RSYNC
which allows for compatible LXD servers to use rbd export-diff
for efficiently transferring only the differences between the latest common snapshot and the remaining snapshots and main volume.
Transfers between older versions of LXD will fallback to using full block copy and rsync (BLOCK_AND_RSYNC
).
Documentation:
VM disk I/O limit support (from Incus)
Added support for specifying limits.max
, limits.read
and limits.write
on disk
devices for VMs.
This adds the API extension vm_disk_io_limits
.
Documentation: Configure I/O limits
Reference settings documentation built from code comments
The documentation reference pages have now been fully converted to generate the specific settings entries from code comments. This also allows for direct linking to a specific setting entry.
Current identity info
Added the lxc auth identity info
command and associated GET /1.0/auth/identities/current
API endpoint in order to ascertain information about the currently authenticated user including the effective permissions and group assignments.
Documentation: Get the current identity
Minimum Go version increased to 1.22.0
The minimum version of Go to build LXD has been increased to 1.22.0.
Documentation: Requirements
Unembedded Go SDK client API PUT structs
Previously the Go SDK client API structs used when returning information about each entity in LXD via a GET request had the associated PUT request fields embedded inside it. However there were some cases where fields in the PUT request struct were not relevant for the associated GET request struct and were incorrectly being included there due to the embedding approach. We have now unembedded all Go API structs so that each request type has its own field set.
Bug fixes
- Reject
limit.kernel.*
for VMs. - Auth: Handle dangling permissions, filter out identities, groups and, identity provider groups that the requester cannot view.
- Various fixes for Github security scanner - although none of them were actual security issues due to prior checks that were not considered by the scanner.
All changes
The items listed below is all of the work which happened over the past week and which will be included in the next release.
LXD
- Storage: Add optimized volume refresh for Ceph RBD
- Auth: Embedded OpenFGA authorization driver
- lxd-metadata: Annotate codebase for
nic
device config keys - Auth: Handle dangling permissions
- VM: Add disk I/O limit support - from Incus
- lxd-metadata: Annotate codebase for
disk
device config keys - lxd-metadata: Annotate codebase for
unix-{char,block,hotplug,usb}
device config keys - lxd-metadata: Annotate codebase for
gpu
device config keys - lxd-metadata: Annotate codebase for
infiniband
device config keys - lxd-metadata: Annotate codebase for
proxy
device config keys - lxd-metadata: Annotate codebase for
tpm
device config keys - lxd-metadata: Annotate codebase for
pci
device config keys - github: add codeql config to run on PRs
- build(deps): bump golang.org/x/crypto from 0.19.0 to 0.20.0
- build(deps): bump github.com/osrg/gobgp/v3 from 3.23.0 to 3.24.0
- build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0
- build(deps): bump github.com/osrg/gobgp/v3 from 3.23.0 to 3.24.0
- build(deps): bump github.com/minio/minio-go/v7 from 7.0.67 to 7.0.68
- build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0
- API: Ensure source project name isn’t passed to storage layer directly when copying/refreshing volumes
- lxd-metadata: Annotate codebase for
bridge
network config keys - lxd-metadata: Annotate codebase for
ovn
network config keys - lxd-metadata: Annotate codebase for
macvlan
network config keys - Migration: Accept offered rsync features for
BLOCK_AND_RSYNC
- lxd-metadata: Annotate codebase for
physical
network config keys - lxd-metadata: Annotate codebase for
sriov
network config keys - lxd-metadata: Annotate codebase for instance properties
- Auth: Fix entitlement for group list request.
- API: Unembed Put structs from Get structs
- Revert Migration: Accept offered rsync features for BLOCK_AND_RSYNC
- Github: Pin minio to RELEASE.2024-02-24T17-11-14Z to unblock edge builds
- Migration: Accept offered rsync features for BLOCK_AND_RSYNC (v2)
- Container: Remove LXD 3.7 rsync feature exception when doing live migration
- Set minimum Go version to 1.22.0 to accomodate OpenFGA.
- Auth: Fix query when setting the IdP group mapping
- Auth: Add
GET /1.0/auth/identities/current
. - Use latest minio in test suite
- Auth: Filter out identities, groups and, IdP groups that the requestor cannot view
- github: on push events, don’t include additional tests to the matrix
- Instance: Reject
limits.kernel.*
for VM config - github: Restore testing latest stable version of go rather than go tip
- github: Removes downloading go tip as not needed
- Storage: Use volume name from the database in RefreshCustomVolume and CreateCustomVolumeFromCopy
- VM: Further fix linter fixes preventing copy to remote
- lxd/db/cluster: Actually swap argument order in SQL statement.
- Migration: Use volume name from DB in migrationSourceWs.DoStorage
- Network: Change protocol field for OVN ACL logs
- Migration: Revert adding rsync features for BLOCK_AND_RSYNC
- Storage: Ceph RBD followup
- Auth: Filter UsedBy results outside of transactions
- Auth: Improve error handling
- Auth: Identity cache improvements
- build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 in /test/mini-oidc
- build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3
- PowerFlex: Unmap the volume before performing resize
- Auth: Openfga driver followup
- Incorrect integer conversion fixes
- Ceph: Send the actual block vol when migrating snapshot
- gomod: Dependency updates
- API: Documents all-projects parameter for storage volumes
LXD Charm
Distribution work
This section is used to track the work done in downstream Linux distributions to ship the latest LXD as well as work to get various software to work properly inside containers.
Ubuntu
- Nothing to report this week.
Snap
LXD snap
- Nothing to report this week