From 9485dc56bd5ad9ba03b8b8d0e2a387e1cb5e066e Mon Sep 17 00:00:00 2001
From: Wesley Hershberger <wesley.hershberger@canonical.com>
Date: Fri, 22 Nov 2024 16:50:41 -0600
Subject: [PATCH] lxd/storage: Check disabling security.shared on
 virtual-machine volumes

If a virtual-machine volume is attached to more than one instance, don't
allow removing security.shared.

Signed-off-by: Wesley Hershberger <wesley.hershberger@canonical.com>
---
 lxd/storage/backend_lxd.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lxd/storage/backend_lxd.go b/lxd/storage/backend_lxd.go
index 8f648464a1ab..df5311547e77 100644
--- a/lxd/storage/backend_lxd.go
+++ b/lxd/storage/backend_lxd.go
@@ -2920,6 +2920,13 @@ func (b *lxdBackend) UpdateInstance(inst instance.Instance, newDesc string, newC
 			return fmt.Errorf(`Instance volume "volatile.uuid" property cannot be changed`)
 		}
 
+		if shared.IsFalseOrEmpty(changedConfig["security.shared"]) && volDBType == cluster.StoragePoolVolumeTypeVM {
+			err = allowRemoveSecurityShared(b.state, inst.Project().Name, &curVol.StorageVolume)
+			if err != nil {
+				return err
+			}
+		}
+
 		// Load storage volume from database.
 		dbVol, err := VolumeDBGet(b, inst.Project().Name, inst.Name(), volType)
 		if err != nil {