lxc · tych0 · Nov 11, 2023 · Oct 27, 2023 · Oct 30, 2023 · Nov 1, 2023
@@ -46,6 +46,10 @@ jobs:
         with:
           go-version: 1.20.x
 
+      - name: Check compatible min Go version
+        run: |
+          go mod tidy -go=1.20
+
       - name: Install dependencies
         run: |
           sudo add-apt-repository ppa:ubuntu-lxc/daily -y --no-update
@@ -87,7 +91,7 @@ jobs:
 
       - name: Unit tests (all)
         run: |
-          sudo go test ./...
+          sudo --preserve-env=CGO_CFLAGS,CGO_LDFLAGS,CGO_LDFLAGS_ALLOW,LD_LIBRARY_PATH LD_LIBRARY_PATH=${LD_LIBRARY_PATH} env "PATH=${PATH}" go test ./...
 
   system-tests:
     env:
@@ -234,11 +238,11 @@ jobs:
           mkdir -p "$(go env GOPATH)/bin"
           curl -sSfL https://dl.min.io/server/minio/release/linux-amd64/minio --output "$(go env GOPATH)/bin/minio"
           chmod +x "$(go env GOPATH)/bin/minio"
-          
+
           # Download latest release of openfga server.
           curl -s https://api.github.com/repos/openfga/openfga/releases/latest | jq -r '.assets | .[] | .browser_download_url | select(. | test("_linux_amd64.tar.gz$"))' | xargs -I {} curl -L {} -o openfga.tar.gz
           tar -xzf openfga.tar.gz -C "$(go env GOPATH)/bin/"
-          
+
           # Download latest release of openfga cli.
           curl -s https://api.github.com/repos/openfga/cli/releases/latest | jq -r '.assets | .[] | .browser_download_url | select(. | test("_linux_amd64.tar.gz$"))' | xargs -I {} curl -L {} -o fga.tar.gz
           tar -xzf fga.tar.gz -C "$(go env GOPATH)/bin/"
@@ -393,6 +397,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Install Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.20.x
+
       - name: Install dependencies
         run: |
           sudo apt-get install aspell aspell-en

@@ -82,6 +82,11 @@ func (c *cmdDelete) Run(cmd *cobra.Command, args []string) error {
 
 	// Process with deletion.
 	for _, resource := range resources {
+		connInfo, err := resource.server.GetConnectionInfo()
+		if err != nil {
+			return err
+		}
+
 		if c.flagInteractive {
 			err := c.promptDelete(resource.name)
 			if err != nil {
@@ -141,7 +146,7 @@ func (c *cmdDelete) Run(cmd *cobra.Command, args []string) error {
 
 		err = c.doDelete(resource.server, resource.name)
 		if err != nil {
-			return err
+			return fmt.Errorf(i18n.G("Failed deleting instance %q in project %q: %w"), resource.name, connInfo.Project, err)
 		}
 	}
 	return nil

@@ -407,7 +407,7 @@ func findContainerForPid(pid int32, s *state.State) (instance.Container, error)
 	 * 1. Walk up the process tree until you see something that looks like
 	 *    an lxc monitor process and extract its name from there.
 	 *
-	 * 2. If this fails, it may be that someone did an `lxc exec foo bash`,
+	 * 2. If this fails, it may be that someone did an `incus exec foo -- bash`,
 	 *    so the process isn't actually a descendant of the container's
 	 *    init. In this case we just look through all the containers until
 	 *    we find an init with a matching pid namespace. This is probably

@@ -12,7 +12,7 @@ If you run this tool repeatedly with different configurations, you can compare t
 ## Get the tool
 
 If the `incus-benchmark` tool isn't provided with your installation, you can build it from source.
-Make sure that you have `go` (version 1.20 or later) installed and install the tool with the following command:
+Make sure that you have `go` (see {ref}`requirements-go`) installed and install the tool with the following command:
 
     go install github.com/lxc/incus/incus-benchmark@latest
 

@@ -68,7 +68,7 @@ Console log:
 Now that the container has started, you can check it and see that things are not running as well as expected:
 
 ```{terminal}
-:input: incus exec systemd bash
+:input: incus exec systemd -- bash
 
 [root@systemd ~]# ls
 [root@systemd ~]# mount

@@ -14,7 +14,7 @@ However, this tool does not migrate any of the LXC container configuration.
 ## Get the tool
 
 If the tool isn't provided alongside your Incus installation, you can build it yourself.
-Make sure that you have `go` (version 1.18 or later) installed and get the tool with the following command:
+Make sure that you have `go` ({ref}`requirements-go`) installed and get the tool with the following command:
 
     go install github.com/lxc/incus/cmd/lxc-to-incus@latest
 

@@ -169,7 +169,7 @@ In addition, you can add any number of servers to the Incus cluster that run onl
        incus launch images:ubuntu/22.04 c3 --network my-ovn
        incus launch images:ubuntu/22.04 c4 --network my-ovn
        incus list
-       incus exec c4 bash
+       incus exec c4 -- bash
        ping <IP of c1>
        ping <nameserver>
        ping6 -n www.example.com

@@ -109,12 +109,14 @@ To download a specific build:
 Follow these instructions if you want to build and install Incus from the source code.
 
 We recommend having the latest versions of `liblxc` (>= 4.0.0 required)
-available for Incus development. Additionally, Incus requires Golang 1.18 or
-later to work. On Ubuntu, you can get those with:
+available for Incus development. Additionally, Incus requires a modern Golang (see {ref}`requirements-go`)
+version to work. On Ubuntu, you can get those with:
 
 ```bash
 sudo apt update
-sudo apt install acl attr autoconf automake dnsmasq-base git golang libacl1-dev libcap-dev liblxc1 liblxc-dev libsqlite3-dev libtool libudev-dev liblz4-dev libuv1-dev make pkg-config rsync squashfs-tools tar tcl xz-utils ebtables
+sudo apt install acl attr autoconf automake dnsmasq-base git libacl1-dev libcap-dev liblxc1 liblxc-dev libsqlite3-dev libtool libudev-dev liblz4-dev libuv1-dev make pkg-config rsync squashfs-tools tar tcl xz-utils ebtables
+command -v snap >/dev/null || sudo apt-get install snapd
+sudo snap install --classic go
 ```
 
 ```{note}

@@ -1,8 +1,9 @@
 # Requirements
 
+(requirements-go)=
 ## Go
 
-Incus requires Go 1.18 or higher and is only tested with the Golang compiler.
+Incus requires Go 1.20 or higher and is only tested with the Golang compiler.
 
 We recommend having at least 2GiB of RAM to allow the build to complete.
 

@@ -128,7 +128,6 @@ func parse(path string, outputJSONPath string, excludedPaths []string) (*doc, er
 
 		// Only process go files
 		if !info.IsDir() && filepath.Ext(path) != ".go" {
-			log.Printf("Skipping non-golang file: %v", path)
 			return nil
 		}
 

@@ -5,6 +5,8 @@ import (
 	"reflect"
 	"sort"
 	"strconv"
+	"strings"
+	"unicode"
 
 	internalInstance "github.com/lxc/incus/internal/instance"
 	"github.com/lxc/incus/shared/util"
@@ -184,6 +186,13 @@ func (m *Map) update(values map[string]string) ([]string, error) {
 func (m *Map) set(name string, value string, initial bool) (bool, error) {
 	// Bypass schema for user.* keys
 	if internalInstance.IsUserConfig(name) {
+		for _, r := range strings.TrimPrefix(name, "user.") {
+			// Only allow letters, digits, and punctuation characters.
+			if !unicode.In(r, unicode.Letter, unicode.Digit, unicode.Punct) {
+				return false, fmt.Errorf("Invalid key name")
+			}
+		}
+
 		current, ok := m.values[name]
 		if ok && value == current {
 			// Value is unchanged

@@ -407,7 +407,8 @@ func (d *proxy) setupNAT() error {
 			return err
 		}
 
-		if nicType != "bridged" {
+		// Check if the instance has a NIC with a static IP that is reachable from the host.
+		if !util.ValueInSlice(nicType, []string{"bridged", "routed"}) {
 			continue
 		}
 

@@ -8351,7 +8351,7 @@ func (d *lxc) getFSStats() (*metrics.MetricSet, error) {
 		FSType     string
 	}
 
-	out := metrics.NewMetricSet(map[string]string{"project": d.project.Name, "name": d.name})
+	out := metrics.NewMetricSet(nil)
 
 	mounts, err := os.ReadFile("/proc/mounts")
 	if err != nil {

@@ -61,14 +61,24 @@ func (m *MetricSet) AddSamples(metricType MetricType, samples ...Sample) {
 	m.set[metricType] = append(m.set[metricType], samples...)
 }
 
-// Merge merges two MetricSets.
+// Merge merges two MetricSets. Missing labels from m's samples are added to all samples in n.
 func (m *MetricSet) Merge(metricSet *MetricSet) {
 	if metricSet == nil {
 		return
 	}
 
-	for k := range metricSet.set {
-		m.set[k] = append(m.set[k], metricSet.set[k]...)
+	for metricType := range metricSet.set {
+		for _, sample := range metricSet.set[metricType] {
+			// Add missing labels from m.
+			for k, v := range m.labels {
+				_, ok := sample.Labels[k]
+				if !ok {
+					sample.Labels[k] = v
+				}
+			}
+
+			m.set[metricType] = append(m.set[metricType], sample)
+		}
 	}
 }
 

@@ -37,4 +37,22 @@ func TestMetricSet_FilterSamples(t *testing.T) {
 
 	// Should no longer contain the sample.
 	require.Equal(t, []Sample{}, m.set[CPUSecondsTotal])
+
+	m = NewMetricSet(map[string]string{"project": "default"})
+	m.AddSamples(CPUSecondsTotal, Sample{Value: 10})
+
+	n := NewMetricSet(map[string]string{"name": "jammy"})
+	n.AddSamples(CPUSecondsTotal, Sample{Value: 20})
+
+	m.Merge(n)
+
+	for _, sample := range m.set[CPUSecondsTotal] {
+		hasKeys := []string{}
+
+		for k := range sample.Labels {
+			hasKeys = append(hasKeys, k)
+		}
+
+		require.Contains(t, hasKeys, "project")
+	}
 }
@@ -1052,13 +1052,21 @@ func (n *bridge) setup(oldConfig map[string]string) error {
 				return err
 			}
 
-			// First set accept_ra to 2 for everything.
+			// First set accept_ra to 2 for all interfaces (if not disabled).
+			// This ensures that the host can still receive IPv6 router advertisements even with
+			// forwarding enabled (which enable below), as the default is to ignore router adverts
+			// when forward is enabled, and this could render the host unreachable if it uses
+			// SLAAC generated IPs.
 			for _, entry := range entries {
+				// Check that IPv6 router advertisement acceptance is enabled currently.
+				// If its set to 0 then we don't want to enable, and if its already set to 2 then
+				// we don't need to do anything.
 				content, err := os.ReadFile(fmt.Sprintf("/proc/sys/net/ipv6/conf/%s/accept_ra", entry.Name()))
 				if err == nil && string(content) != "1\n" {
 					continue
 				}
 
+				// If IPv6 router acceptance is enabled (set to 1) then we now set it to 2.
 				err = localUtil.SysctlSet(fmt.Sprintf("net/ipv6/conf/%s/accept_ra", entry.Name()), "2")
 				if err != nil && !os.IsNotExist(err) {
 					return err

@@ -168,6 +168,10 @@ func CheckTrustState(cert x509.Certificate, trustedCerts map[string]x509.Certifi
 			crl := networkCert.CRL()
 
 			if crl != nil {
+				if crl.CheckSignatureFrom(ca) != nil {
+					return false, "" // CRL not signed by CA
+				}
+
 				for _, revoked := range crl.RevokedCertificates {
 					if cert.SerialNumber.Cmp(revoked.SerialNumber) == 0 {
 						return false, "" // Certificate is revoked, so not trusted anymore.

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: lxd\n"
 "Report-Msgid-Bugs-To: lxc-devel@lists.linuxcontainers.org\n"
-"POT-Creation-Date: 2023-10-30 10:05+0800\n"
+"POT-Creation-Date: 2023-11-10 21:45-0500\n"
 "PO-Revision-Date: 2022-03-10 15:10+0000\n"
 "Last-Translator: Anonymous <noreply@weblate.org>\n"
 "Language-Team: Berber <https://hosted.weblate.org/projects/linux-containers/"
@@ -2363,6 +2363,11 @@ msgstr ""
 msgid "Failed converting token operation to join token: %w"
 msgstr ""
 
+#: cmd/incus/delete.go:149
+#, c-format
+msgid "Failed deleting instance %q in project %q: %w"
+msgstr ""
+
 #: cmd/incus/storage_volume.go:511
 #, c-format
 msgid "Failed deleting source volume after copy: %w"
@@ -6073,7 +6078,7 @@ msgstr ""
 msgid "Stopping instance failed!"
 msgstr ""
 
-#: cmd/incus/delete.go:115
+#: cmd/incus/delete.go:120
 #, c-format
 msgid "Stopping the instance failed: %s"
 msgstr ""
@@ -6328,7 +6333,7 @@ msgstr ""
 msgid "The following unknown volumes have been found:"
 msgstr ""
 
-#: cmd/incus/delete.go:99
+#: cmd/incus/delete.go:104
 msgid "The instance is currently running, stop it first or pass --force"
 msgstr ""
 

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: lxd\n"
 "Report-Msgid-Bugs-To: lxc-devel@lists.linuxcontainers.org\n"
-"POT-Creation-Date: 2023-10-30 10:05+0800\n"
+"POT-Creation-Date: 2023-11-10 21:45-0500\n"
 "PO-Revision-Date: 2022-03-10 15:09+0000\n"
 "Last-Translator: Anonymous <noreply@weblate.org>\n"
 "Language-Team: Bulgarian <https://hosted.weblate.org/projects/linux-"
@@ -2363,6 +2363,11 @@ msgstr ""
 msgid "Failed converting token operation to join token: %w"
 msgstr ""
 
+#: cmd/incus/delete.go:149
+#, c-format
+msgid "Failed deleting instance %q in project %q: %w"
+msgstr ""
+
 #: cmd/incus/storage_volume.go:511
 #, c-format
 msgid "Failed deleting source volume after copy: %w"
@@ -6073,7 +6078,7 @@ msgstr ""
 msgid "Stopping instance failed!"
 msgstr ""
 
-#: cmd/incus/delete.go:115
+#: cmd/incus/delete.go:120
 #, c-format
 msgid "Stopping the instance failed: %s"
 msgstr ""
@@ -6328,7 +6333,7 @@ msgstr ""
 msgid "The following unknown volumes have been found:"
 msgstr ""
 
-#: cmd/incus/delete.go:99
+#: cmd/incus/delete.go:104
 msgid "The instance is currently running, stop it first or pass --force"
 msgstr ""
 

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: lxd\n"
 "Report-Msgid-Bugs-To: lxc-devel@lists.linuxcontainers.org\n"
-"POT-Creation-Date: 2023-10-30 10:05+0800\n"
+"POT-Creation-Date: 2023-11-10 21:45-0500\n"
 "PO-Revision-Date: 2022-03-10 15:10+0000\n"
 "Last-Translator: Anonymous <noreply@weblate.org>\n"
 "Language-Team: Catalan <https://hosted.weblate.org/projects/linux-containers/"
@@ -2363,6 +2363,11 @@ msgstr ""
 msgid "Failed converting token operation to join token: %w"
 msgstr ""
 
+#: cmd/incus/delete.go:149
+#, c-format
+msgid "Failed deleting instance %q in project %q: %w"
+msgstr ""
+
 #: cmd/incus/storage_volume.go:511
 #, c-format
 msgid "Failed deleting source volume after copy: %w"
@@ -6073,7 +6078,7 @@ msgstr ""
 msgid "Stopping instance failed!"
 msgstr ""
 
-#: cmd/incus/delete.go:115
+#: cmd/incus/delete.go:120
 #, c-format
 msgid "Stopping the instance failed: %s"
 msgstr ""
@@ -6328,7 +6333,7 @@ msgstr ""
 msgid "The following unknown volumes have been found:"
 msgstr ""
 
-#: cmd/incus/delete.go:99
+#: cmd/incus/delete.go:104
 msgid "The instance is currently running, stop it first or pass --force"
 msgstr ""