Weekly status for the week of 4th March to 10th March.

Introduction

This past week we two roadmap features; fine grained authorization for OIDC users and support for optimized refresh for Ceph RBD block volumes as well as many improvements in our progress towards the LXD 5.21.0 LTS release.

Fine grained authorization for OIDC users

As part of our ongoing work to modernise LXD’s identity and access management mechanisms, we have now added support for fine-grained authorization for OIDC authenticated users. It is now possible to define and restrict granular actions on specific LXD resources. For example, one could restrict a user to be able to view, but not edit, a single instance.

Users, groups and their permissions can now be managed using the the new lxc auth command (and associated APIs).

Important:
Prior to the addition of this extension, all OIDC clients were given full access to LXD (equivalent to Unix socket access). This extension revokes access to all OIDC clients. To regain access, a user must:

1. Make a call to the OIDC enabled LXD remote (e.g. lxc info) to ensure that their OIDC identity is added to the LXD database.
2. Create a group: lxc auth group create <group_name>
3. Grant the group a suitable permission. As all OIDC clients prior to this extension have had full access to LXD, the corresponding permission is admin on server. To grant this permission to your group, run: lxc auth group permission add <group_name> server admin
4. Add themselves to the group. To do this, run: lxc auth identity group add oidc/<email_address> <group_name>

Steps 2 to 4 above cannot be performed via OIDC authentication (because access has been revoked). They must be performed by a sufficiently privileged user, either via Unix socket or unrestricted TLS client certificate.

Documentation: Remote API authorization

Optimized block volume refresh for Ceph RBD

Previously when transferring a block volume to another pool or host the initial transfer was done using the efficient rbd export-diff tool but subsequent refreshes were performed using a full block copy of all changed snapshots and the main volume itself. This was slow and inefficient.

Now a new migration extension has been added called RBD_AND_RSYNC which allows for compatible LXD servers to use rbd export-diff for efficiently transferring only the differences between the latest common snapshot and the remaining snapshots and main volume.

Transfers between older versions of LXD will fallback to using full block copy and rsync (BLOCK_AND_RSYNC).

Documentation:

• Optimized volume refresh
• Add optimized volume refresh for Ceph RBD

VM disk I/O limit support (from Incus)

Added support for specifying limits.max, limits.read and limits.write on disk devices for VMs.
This adds the API extension vm_disk_io_limits.

Documentation: Configure I/O limits

Reference settings documentation built from code comments

The documentation reference pages have now been fully converted to generate the specific settings entries from code comments. This also allows for direct linking to a specific setting entry.

Current identity info

Added the lxc auth identity info command and associated GET /1.0/auth/identities/current API endpoint in order to ascertain information about the currently authenticated user including the effective permissions and group assignments.

Documentation: Get the current identity

Minimum Go version increased to 1.22.0

The minimum version of Go to build LXD has been increased to 1.22.0.

Documentation: Requirements

Unembedded Go SDK client API PUT structs

Previously the Go SDK client API structs used when returning information about each entity in LXD via a GET request had the associated PUT request fields embedded inside it. However there were some cases where fields in the PUT request struct were not relevant for the associated GET request struct and were incorrectly being included there due to the embedding approach. We have now unembedded all Go API structs so that each request type has its own field set.

Bug fixes

• Reject limit.kernel.* for VMs.
• Auth: Handle dangling permissions, filter out identities, groups and, identity provider groups that the requester cannot view.
• Various fixes for Github security scanner - although none of them were actual security issues due to prior checks that were not considered by the scanner.

All changes

The items listed below is all of the work which happened over the past week and which will be included in the next release.

LXD

• Storage: Add optimized volume refresh for Ceph RBD
• Auth: Embedded OpenFGA authorization driver
• lxd-metadata: Annotate codebase for nic device config keys
• Auth: Handle dangling permissions
• VM: Add disk I/O limit support - from Incus
• lxd-metadata: Annotate codebase for disk device config keys
• lxd-metadata: Annotate codebase for unix-{char,block,hotplug,usb} device config keys
• lxd-metadata: Annotate codebase for gpu device config keys
• lxd-metadata: Annotate codebase for infiniband device config keys
• lxd-metadata: Annotate codebase for proxy device config keys
• lxd-metadata: Annotate codebase for tpm device config keys
• lxd-metadata: Annotate codebase for pci device config keys
• github: add codeql config to run on PRs
• build(deps): bump golang.org/x/crypto from 0.19.0 to 0.20.0
• build(deps): bump github.com/osrg/gobgp/v3 from 3.23.0 to 3.24.0
• build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0
• build(deps): bump github.com/osrg/gobgp/v3 from 3.23.0 to 3.24.0
• build(deps): bump github.com/minio/minio-go/v7 from 7.0.67 to 7.0.68
• build(deps): bump github.com/stretchr/testify from 1.8.4 to 1.9.0
• API: Ensure source project name isn’t passed to storage layer directly when copying/refreshing volumes
• lxd-metadata: Annotate codebase for bridge network config keys
• lxd-metadata: Annotate codebase for ovn network config keys
• lxd-metadata: Annotate codebase for macvlan network config keys
• Migration: Accept offered rsync features for BLOCK_AND_RSYNC
• lxd-metadata: Annotate codebase for physical network config keys
• lxd-metadata: Annotate codebase for sriov network config keys
• lxd-metadata: Annotate codebase for instance properties
• Auth: Fix entitlement for group list request.
• API: Unembed Put structs from Get structs
• Revert Migration: Accept offered rsync features for BLOCK_AND_RSYNC
• Github: Pin minio to RELEASE.2024-02-24T17-11-14Z to unblock edge builds
• Migration: Accept offered rsync features for BLOCK_AND_RSYNC (v2)
• Container: Remove LXD 3.7 rsync feature exception when doing live migration
• Set minimum Go version to 1.22.0 to accomodate OpenFGA.
• Auth: Fix query when setting the IdP group mapping
• Auth: Add GET /1.0/auth/identities/current.
• Use latest minio in test suite
• Auth: Filter out identities, groups and, IdP groups that the requestor cannot view
• github: on push events, don’t include additional tests to the matrix
• Instance: Reject limits.kernel.* for VM config
• github: Restore testing latest stable version of go rather than go tip
• github: Removes downloading go tip as not needed
• Storage: Use volume name from the database in RefreshCustomVolume and CreateCustomVolumeFromCopy
• VM: Further fix linter fixes preventing copy to remote
• lxd/db/cluster: Actually swap argument order in SQL statement.
• Migration: Use volume name from DB in migrationSourceWs.DoStorage
• Network: Change protocol field for OVN ACL logs
• Migration: Revert adding rsync features for BLOCK_AND_RSYNC
• Storage: Ceph RBD followup
• Auth: Filter UsedBy results outside of transactions
• Auth: Improve error handling
• Auth: Identity cache improvements
• build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3 in /test/mini-oidc
• build(deps): bump github.com/go-jose/go-jose/v3 from 3.0.2 to 3.0.3
• PowerFlex: Unmap the volume before performing resize
• Auth: Openfga driver followup
• Incorrect integer conversion fixes
• Ceph: Send the actual block vol when migrating snapshot
• gomod: Dependency updates
• API: Documents all-projects parameter for storage volumes

LXD Charm

• libs: update charms.loki_k8s.v0.loki_push_api
• libs: update charms.loki_k8s.v0.loki_push_api

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXD as well as work to get various software to work properly inside containers.

Ubuntu

• Nothing to report this week.

Snap

LXD snap

• Nothing to report this week