canonical · tomponline · Aug 30, 2024 · Dec 29, 2023 · Dec 29, 2023 · Dec 29, 2023
diff --git a/Makefile b/Makefile
@@ -90,6 +90,7 @@ ifneq "$(LXD_OFFLINE)" ""
 	exit 1
 endif
 	go get -t -v -d -u ./...
+	go get github.com/dell/[email protected] # Due to pending testing of newer version
 	go get github.com/gorilla/[email protected] # Due to riscv64 crashes in LP
 	go mod tidy -go=$(GOMIN)
 

diff --git a/client/lxd_instances.go b/client/lxd_instances.go
@@ -723,6 +723,9 @@ func (r *ProtocolLXD) tryCreateInstance(req api.InstancesPost, urls []string, op
 	operation := req.Source.Operation
 
 	// Forward targetOp to remote op
+	chConnect := make(chan error, 1)
+	chWait := make(chan error, 1)
+
 	go func() {
 		success := false
 		var errors []remoteOperationResult
@@ -762,13 +765,35 @@ func (r *ProtocolLXD) tryCreateInstance(req api.InstancesPost, urls []string, op
 			break
 		}
 
-		if !success {
-			rop.err = remoteOperationError("Failed instance creation", errors)
+		if success {
+			chConnect <- nil
+			close(chConnect)
+		} else {
+			chConnect <- remoteOperationError("Failed instance creation", errors)
+			close(chConnect)
+
 			if op != nil {
 				_ = op.Cancel()
 			}
 		}
+	}()
+
+	if op != nil {
+		go func() {
+			chWait <- op.Wait()
+			close(chWait)
+		}()
+	}
+
+	go func() {
+		var err error
+
+		select {
+		case err = <-chConnect:
+		case err = <-chWait:
+		}
 
+		rop.err = err
 		close(rop.chDone)
 	}()
 
@@ -953,7 +978,12 @@ func (r *ProtocolLXD) CopyInstance(source InstanceServer, instance api.Instance,
 
 		targetSecrets := map[string]string{}
 		for k, v := range opAPI.Metadata {
-			targetSecrets[k] = v.(string)
+			vStr, ok := v.(string)
+			if !ok {
+				continue
+			}
+
+			targetSecrets[k] = vStr
 		}
 
 		// Prepare the source request
@@ -981,7 +1011,12 @@ func (r *ProtocolLXD) CopyInstance(source InstanceServer, instance api.Instance,
 
 	sourceSecrets := map[string]string{}
 	for k, v := range opAPI.Metadata {
-		sourceSecrets[k] = v.(string)
+		vStr, ok := v.(string)
+		if !ok {
+			continue
+		}
+
+		sourceSecrets[k] = vStr
 	}
 
 	// Relay mode migration
@@ -1001,7 +1036,12 @@ func (r *ProtocolLXD) CopyInstance(source InstanceServer, instance api.Instance,
 		// Extract the websockets
 		targetSecrets := map[string]string{}
 		for k, v := range targetOpAPI.Metadata {
-			targetSecrets[k] = v.(string)
+			vStr, ok := v.(string)
+			if !ok {
+				continue
+			}
+
+			targetSecrets[k] = vStr
 		}
 
 		// Launch the relay
@@ -1243,9 +1283,16 @@ func (r *ProtocolLXD) ExecInstance(instanceName string, exec api.InstanceExecPos
 
 	value, ok := opAPI.Metadata["fds"]
 	if ok {
-		values := value.(map[string]any)
-		for k, v := range values {
-			fds[k] = v.(string)
+		values, ok := value.(map[string]any)
+		if ok {
+			for k, v := range values {
+				vStr, ok := v.(string)
+				if !ok {
+					continue
+				}
+
+				fds[k] = vStr
+			}
 		}
 	}
 
@@ -1260,7 +1307,12 @@ func (r *ProtocolLXD) ExecInstance(instanceName string, exec api.InstanceExecPos
 		outputs, ok := opAPI.Metadata["output"].(map[string]any)
 		if ok {
 			for k, v := range outputs {
-				outputFiles[k] = v.(string)
+				vStr, ok := v.(string)
+				if !ok {
+					continue
+				}
+
+				outputFiles[k] = vStr
 			}
 		}
 
@@ -1992,7 +2044,12 @@ func (r *ProtocolLXD) CopyInstanceSnapshot(source InstanceServer, instanceName s
 
 		targetSecrets := map[string]string{}
 		for k, v := range opAPI.Metadata {
-			targetSecrets[k] = v.(string)
+			vStr, ok := v.(string)
+			if !ok {
+				continue
+			}
+
+			targetSecrets[k] = vStr
 		}
 
 		// Prepare the source request
@@ -2020,7 +2077,12 @@ func (r *ProtocolLXD) CopyInstanceSnapshot(source InstanceServer, instanceName s
 
 	sourceSecrets := map[string]string{}
 	for k, v := range opAPI.Metadata {
-		sourceSecrets[k] = v.(string)
+		vStr, ok := v.(string)
+		if !ok {
+			continue
+		}
+
+		sourceSecrets[k] = vStr
 	}
 
 	// Relay mode migration
@@ -2040,7 +2102,12 @@ func (r *ProtocolLXD) CopyInstanceSnapshot(source InstanceServer, instanceName s
 		// Extract the websockets
 		targetSecrets := map[string]string{}
 		for k, v := range targetOpAPI.Metadata {
-			targetSecrets[k] = v.(string)
+			vStr, ok := v.(string)
+			if !ok {
+				continue
+			}
+
+			targetSecrets[k] = vStr
 		}
 
 		// Launch the relay
@@ -2596,9 +2663,16 @@ func (r *ProtocolLXD) ConsoleInstance(instanceName string, console api.InstanceC
 
 	value, ok := opAPI.Metadata["fds"]
 	if ok {
-		values := value.(map[string]any)
-		for k, v := range values {
-			fds[k] = v.(string)
+		values, ok := value.(map[string]any)
+		if ok {
+			for k, v := range values {
+				vStr, ok := v.(string)
+				if !ok {
+					continue
+				}
+
+				fds[k] = vStr
+			}
 		}
 	}
 
@@ -2688,9 +2762,16 @@ func (r *ProtocolLXD) ConsoleInstanceDynamic(instanceName string, console api.In
 
 	value, ok := opAPI.Metadata["fds"]
 	if ok {
-		values := value.(map[string]any)
-		for k, v := range values {
-			fds[k] = v.(string)
+		values, ok := value.(map[string]any)
+		if ok {
+			for k, v := range values {
+				vStr, ok := v.(string)
+				if !ok {
+					continue
+				}
+
+				fds[k] = vStr
+			}
 		}
 	}
 

diff --git a/doc/.custom_wordlist.txt b/doc/.custom_wordlist.txt
@@ -18,6 +18,7 @@ balancers
 benchmarking
 BGP
 BitLocker
+BLK
 bool
 bootable
 BPF
@@ -41,6 +42,7 @@ CPUs
 CRIU
 CRL
 cron
+CSM
 CSV
 CUDA
 dataset
@@ -62,8 +64,10 @@ ECDSA
 EiB
 Eibit
 endian
+EOL
 ES
 ESA
+ESM
 ETag
 failover
 firmware
@@ -89,10 +93,10 @@ hotplugging
 HTTPS
 HWE
 ICMP
-IdP
 idmap
 idmapped
 idmaps
+IdP
 incrementing
 InfiniBand
 init
@@ -112,9 +116,9 @@ KiB
 kibi
 Kibit
 KVM
+LogCLI
 lookups
 LoongArch
-LogCLI
 LRU
 LV
 LVM
@@ -133,8 +137,8 @@ MiB
 Mibit
 MicroCeph
 MicroCloud
-MinIO
 MII
+MinIO
 MITM
 MTU
 Mullvad
@@ -190,6 +194,7 @@ qgroups
 RADOS
 RBAC
 RBD
+RDP
 README
 reconfiguring
 requestor
@@ -208,6 +213,7 @@ SDS
 SDT
 SeaBIOS
 Seccomp
+SELinux
 SEV
 SFTP
 SHA
@@ -216,6 +222,7 @@ SIGTERM
 simplestreams
 SKBPRIO
 SLAAC
+SLES
 SMTP
 Snapcraft
 Solaris

diff --git a/doc/explanation/projects.md b/doc/explanation/projects.md
@@ -46,6 +46,15 @@ To edit them, you must remove all instances first.
 New features that are added in an upgrade are disabled for existing projects.
 ```
 
+```{important}
+In a multi-tenant environment, unless using {ref}`fine-grained-authorization`, all projects should have all features enabled.
+Otherwise, clients with {ref}`restricted-tls-certs` are able to create, edit, and delete resources in the default project. This might affect other tenants.
+
+For example, if project "foo" is created and `features.networks` is not set to true, then a restricted client certificate with access to "foo" can view, edit, and delete networks in the default project.
+
+Conversely, if a client's permissions are managed via {ref}`fine-grained-authorization`, resources may be inherited from the default project but access to those resources is not automatically granted.
+```
+
 (projects-confined)=
 ## Confined projects in a multi-user environment
 

diff --git a/doc/guest-os-compatibility.md b/doc/guest-os-compatibility.md
@@ -0,0 +1,78 @@
+(guest-os-compatibility)=
+# Guest OS compatibility
+
+The following operating systems (OS) were tested as virtual machine guest running on top of on LXD `5.21/stable`. Each OS was tested by doing a manual installation using the official ISO as provided by the vendor.
+
+OS vendor | OS version         | OS support | [LXD agent](#lxd-agent) | VirtIO-SCSI | VirtIO-BLK | NVMe    | CSM (BIOS) | UEFI | Secure Boot
+:---      | :---               | :---       | :---                    | :---        | :---       | :---    | :---       | :--- | :---
+CentOS    | CentOS 6.10 [^1]   | EOL        | ❌ [^2]                 | ✅          | ❌ [^7]    | 🟢      | ✅         | ❌   | ❌
+CentOS    | CentOS 7.9         | EOL        | ❌ [^2]                 | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+CentOS    | CentOS 8.5         | EOL        | 🟢 [^3]                 | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+CentOS    | CentOS 8-Stream    | EOL        | 🟢 [^3]                 | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+CentOS    | CentOS 9-Stream    | Supported  | 🟢 [^3]                 | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+Red Hat   | RHEL 7.9           | EOL        | ❌ [^2]                 | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+Red Hat   | RHEL 8.10          | Supported  | 🟢 [^3]                 | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+Red Hat   | RHEL 9.4           | Supported  | 🟢 [^3]                 | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+SUSE      | SLES 12 SP5        | Supported  | ✅                      | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+SUSE      | SLES 15 SP6        | Supported  | ✅                      | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+Ubuntu    | 14.04.6 LTS        | EOL        | ❌ [^8]                 | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+Ubuntu    | 16.04.7 LTS        | ESM        | ✅ [^9]                 | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+Ubuntu    | 18.04.6 LTS        | ESM        | ✅                      | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+Ubuntu    | 20.04.6 LTS        | Supported  | ✅                      | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+Ubuntu    | 22.04.4 LTS        | Supported  | ✅                      | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+Ubuntu    | 24.04.1 LTS        | Supported  | ✅                      | ✅          | 🟢         | 🟢      | 🟢         | ✅   | ✅
+Windows   | Server 2012        | Supported  | ➖                      | ✅          | 🟢         | ❌      | 🟢         | ✅   | ✅
+Windows   | Server 2016        | Supported  | ➖                      | ✅          | 🟢         | 🟢 [^4] | ❌ [^6]    | ✅   | ✅
+Windows   | Server 2019        | Supported  | ➖                      | ✅          | 🟢         | 🟢      | ❌ [^6]    | ✅   | ✅
+Windows   | Server 2022        | Supported  | ➖                      | ✅          | 🟢         | 🟢      | ❌ [^6]    | ✅   | ✅
+Windows   | 10 22H2            | Supported  | ➖                      | ✅          | 🟢         | 🟢      | ❌ [^6]    | ✅   | ✅
+Windows   | 11 23H2 [^5]       | Supported  | ➖                      | ✅          | 🟢         | 🟢      | ❌         | ✅   | ✅
+
+[^1]: No network support despite having VirtIO-NET module.
+[^2]: Support for 9P or `virtiofs` not available. Note: CentOS 7 has a `kernel-plus` kernel with 9P support allowing LXD agent to work (with `selinux=0`).
+[^3]: Requires disabling SELinux to allow LXD agent loading `virtiofs` configuration share.
+[^4]: NVMe disks are visible but the installer lists all 255 namespaces slowing down the initialization.
+[^5]: A virtual TPM is required.
+[^6]: The OS installer hangs when booting in CSM/BIOS mode.
+[^7]: The OS installer hangs when booting with VirtIO-BLK despite having VirtIO-BLK supported by the kernel.
+[^8]: This Linux version does not use `systemd` which the LXD agent requires.
+[^9]: Requires the HWE kernel (`4.15`) for proper `vsock` support which is required by the LXD agent.
+
+Legend:
+✅ : recommended
+🟢 : supported
+➖ : not applicable
+❌ : not supported
+
+## Notes
+
+### LXD agent
+
+The LXD agent provides the ability to execute commands inside of the virtual machine guest without relying on traditional access solution like secure shell (SSH) or Remote Desktop Protocol (RDP). This agent is only supported on Linux guests using `systemd`.
+
+### CSM/BIOS boot
+
+```bash
+lxc config set v1 security.secureboot=false
+lxc config set v1 security.csm=true
+```
+
+### Virtual TPM
+
+```bash
+lxc config device add v1 vtpm tpm path=/dev/tpm0
+```
+
+### VirtIO-BLK or NVMe
+
+```bash
+lxc config device override v1 root io.bus=virtio-blk
+# or
+lxc config device override v1 root io.bus=nvme
+```
+
+### Disconnect the ISO
+
+```bash
+lxc config device remove v1 iso
+```