lxd/instances: Check instance creation limits on target cluster member

If a malicious request sets `User-Agent: lxd-cluster-notifier`, project limits would not be checked. I don't see a way to reuse the transaction without including the instance placement scriptlet. Signed-off-by: Wesley Hershberger <[email protected]>
canonical · Aug 30, 2024 · aeeee30 · aeeee30
1 parent 2677eb6
commit aeeee30
Showing 1 changed file with 9 additions and 9 deletions.
diff --git a/lxd/instances_post.go b/lxd/instances_post.go
@@ -1240,15 +1240,6 @@ func instancesPost(d *Daemon, r *http.Request) response.Response {
 			}
 		}
 
-		if !clusterNotification {
-			// Check that the project's limits are not violated. Note this check is performed after
-			// automatically generated config values (such as ones from an InstanceType) have been set.
-			err = project.AllowInstanceCreation(s.GlobalConfig, tx, targetProjectName, req)
-			if err != nil {
-				return err
-			}
-		}
-
 		return nil
 	})
 	if err != nil {
@@ -1320,6 +1311,15 @@ func instancesPost(d *Daemon, r *http.Request) response.Response {
 		return operations.ForwardedOperationResponse(targetProjectName, &opAPI)
 	}
 
+	// Check that the project's limits are not violated. Note this check is performed after
+	// automatically generated config values (such as ones from an InstanceType) have been set.
+	err = s.DB.Cluster.Transaction(r.Context(), func(ctx context.Context, tx *db.ClusterTx) error {
+		return project.AllowInstanceCreation(s.GlobalConfig, tx, targetProjectName, req)
+	})
+	if err != nil {
+		return response.SmartError(err)
+	}
+
 	switch req.Source.Type {
 	case "image":
 		return createFromImage(s, r, *targetProject, profiles, sourceImage, sourceImageRef, &req)