Weekly status #338

Weekly status for the week of 4th March to 10th March.


This past week we two roadmap features; fine grained authorization for OIDC users and support for optimized refresh for Ceph RBD block volumes as well as many improvements in our progress towards the LXD 5.21.0 LTS release.

Fine grained authorization for OIDC users

As part of our ongoing work to modernise LXD’s identity and access management mechanisms, we have now added support for fine-grained authorization for OIDC authenticated users. It is now possible to define and restrict granular actions on specific LXD resources. For example, one could restrict a user to be able to view, but not edit, a single instance.

Users, groups and their permissions can now be managed using the the new lxc auth command (and associated APIs).

Prior to the addition of this extension, all OIDC clients were given full access to LXD (equivalent to Unix socket access). This extension revokes access to all OIDC clients. To regain access, a user must:

  1. Make a call to the OIDC enabled LXD remote (e.g. lxc info) to ensure that their OIDC identity is added to the LXD database.
  2. Create a group: lxc auth group create <group_name>
  3. Grant the group a suitable permission. As all OIDC clients prior to this extension have had full access to LXD, the corresponding permission is admin on server. To grant this permission to your group, run: lxc auth group permission add <group_name> server admin
  4. Add themselves to the group. To do this, run: lxc auth identity group add oidc/<email_address> <group_name>

Steps 2 to 4 above cannot be performed via OIDC authentication (because access has been revoked). They must be performed by a sufficiently privileged user, either via Unix socket or unrestricted TLS client certificate.

Documentation: Remote API authorization

Optimized block volume refresh for Ceph RBD

Previously when transferring a block volume to another pool or host the initial transfer was done using the efficient rbd export-diff tool but subsequent refreshes were performed using a full block copy of all changed snapshots and the main volume itself. This was slow and inefficient.

Now a new migration extension has been added called RBD_AND_RSYNC which allows for compatible LXD servers to use rbd export-diff for efficiently transferring only the differences between the latest common snapshot and the remaining snapshots and main volume.

Transfers between older versions of LXD will fallback to using full block copy and rsync (BLOCK_AND_RSYNC).


VM disk I/O limit support (from Incus)

Added support for specifying limits.max, limits.read and limits.write on disk devices for VMs.
This adds the API extension vm_disk_io_limits.

Documentation: Configure I/O limits

Reference settings documentation built from code comments

The documentation reference pages have now been fully converted to generate the specific settings entries from code comments. This also allows for direct linking to a specific setting entry.

Current identity info

Added the lxc auth identity info command and associated GET /1.0/auth/identities/current API endpoint in order to ascertain information about the currently authenticated user including the effective permissions and group assignments.

Documentation: Get the current identity

Minimum Go version increased to 1.22.0

The minimum version of Go to build LXD has been increased to 1.22.0.

Documentation: Requirements

Unembedded Go SDK client API PUT structs

Previously the Go SDK client API structs used when returning information about each entity in LXD via a GET request had the associated PUT request fields embedded inside it. However there were some cases where fields in the PUT request struct were not relevant for the associated GET request struct and were incorrectly being included there due to the embedding approach. We have now unembedded all Go API structs so that each request type has its own field set.

Bug fixes

  • Reject limit.kernel.* for VMs.
  • Auth: Handle dangling permissions, filter out identities, groups and, identity provider groups that the requester cannot view.
  • Various fixes for Github security scanner - although none of them were actual security issues due to prior checks that were not considered by the scanner.

All changes

The items listed below is all of the work which happened over the past week and which will be included in the next release.


LXD Charm

Distribution work

This section is used to track the work done in downstream Linux distributions to ship the latest LXD as well as work to get various software to work properly inside containers.


  • Nothing to report this week.


LXD snap

  • Nothing to report this week