lxd icon indicating copy to clipboard operation
lxd copied to clipboard
verified publisher icon canonical

`AllowProjectUpdate` has its own (partial) implementation of `checkRestrictionsAndAggregateLimits`

Open tomponline opened this issue 6 months ago • 0 comments

Please confirm

  • [x] I have searched existing issues to check if an issue already exists for the bug I encountered.

Distribution

Ubuntu

Distribution version

24.04

Output of "snap list --all lxd core20 core22 core24 snapd"

N/A

Output of "lxc info" or system info if it fails

N/A

Issue description

This issue is related to https://github.com/canonical/lxd/issues/15822 but broader in scope.

Put simply, when something is added/changed inside a project its restrictions and limits are checked for violation using a function called checkRestrictionsAndAggregateLimits().

However when a project's own settings are updated, a function called AllowProjectUpdate() is called.

Inside this function it checks that restrictions are still valid by calling checkInstanceRestrictions(), however that is not entirely correct which is covered by https://github.com/canonical/lxd/issues/15822.

Separately to that AllowProjectUpdate() also seems to have its own implementation of checkRestrictionsAndAggregateLimits() by individually considering each limit key individually:

https://github.com/canonical/lxd/blob/5290649b7b8f1665413f2a02cf9ec8af961de76e/lxd/project/limits/permissions.go#L1121-L1159

As we as not being updated to handle limits.networks (see https://github.com/canonical/lxd/issues/15823) it is also undesirable to have two different implementations for limit checks and we should instead use checkRestrictionsAndAggregateLimits when updating a project's settings to ensure the project's entities comply with the project's new restrictions & limits.

Steps to reproduce

N/A

Information to attach

  • [ ] Any relevant kernel output (dmesg)
  • [ ] Instance log (lxc info NAME --show-log)
  • [ ] Instance configuration (lxc config show NAME --expanded)
  • [ ] Main daemon log (at /var/log/lxd/lxd.log or /var/snap/lxd/common/lxd/logs/lxd.log)
  • [ ] Output of the client with --debug
  • [ ] Output of the daemon with --debug (or use lxc monitor while reproducing the issue)

tomponline avatar Jun 19 '25 15:06 tomponline