search

canonical / lxd-ui

Easy and accessible container and virtual machine management. A browser interface for LXD
GNU General Public License v3.0
242 stars 30 forks source link

Restricted projects goes to /ui/project/default and print 404 #783

Closed norbertoisaac closed 1 month ago

norbertoisaac commented 1 month ago

cat /etc/os-release

PRETTY_NAME="Ubuntu 24.04 LTS" NAME="Ubuntu" VERSION_ID="24.04" VERSION="24.04 LTS (Noble Numbat)" VERSION_CODENAME=noble ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=noble LOGO=ubuntu-logo

snap version

snap 2.63 snapd 2.63 series 16 ubuntu 24.04 kernel 6.8.0-31-generic

lxd version

5.21.1 LTS

lxc cluster list

+-------------+-----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+ | NAME | URL | ROLES | ARCHITECTURE | FAILURE DOMAIN | DESCRIPTION | STATE | MESSAGE | +-------------+-----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+ | fdo-kvmc1h1 | https://[100::2004:68]:8443 | database | x86_64 | default | | ONLINE | Fully operational | +-------------+-----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+ | fdo-kvmc1h4 | https://[100::2004:71]:8443 | database-leader | x86_64 | default | | ONLINE | Fully operational | | | | database | | | | | | +-------------+-----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+ | fdo-kvmc1h5 | https://[100::2004:72]:8443 | database | x86_64 | default | | ONLINE | Fully operational | +-------------+-----------------------------+-----------------+--------------+----------------+-------------+--------+-------------------+

lxc project create IAAS1001

lxc config trust add IAAS1000.crt --project IAAS1001 --restricted

ss -lnt

State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 4096 127.0.0.54:53 0.0.0.0: LISTEN 0 4096 172.27.198.68:50053 0.0.0.0: LISTEN 0 10 172.27.198.68:6644 0.0.0.0: LISTEN 0 10 172.27.198.68:6643 0.0.0.0: LISTEN 0 10 172.27.198.68:6642 0.0.0.0: LISTEN 0 10 172.27.198.68:6641 0.0.0.0: LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0: LISTEN 0 4096 :22 : LISTEN 0 4096 :8444 : LISTEN 0 4096 :8443 :

Screenshot from 2024-05-27 17-57-28

lxc config trust list

+--------+-------------------+--------------------------------------+--------------+-------------------------------+------------------------------+ | TYPE | NAME | COMMON NAME | FINGERPRINT | ISSUE DATE | EXPIRY DATE | +--------+-------------------+--------------------------------------+--------------+-------------------------------+------------------------------+ | client | IAAS1000.crt | | ecea5a62d74c | May 17, 2024 at 2:40am (UTC) | Feb 11, 2027 at 2:40am (UTC) |

lxc config trust show ecea5a62d74c

name: IAAS1000.crt type: client restricted: true projects: [] certificate: | -----BEGIN CERTIFICATE----- MIIDMjCCAhqgAwIBAgIQASMGFwQyAAAkAAdwAAMUADANBgkqhkiG9w0BAQUFADBV MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTExMC8GA1UEChMoTFhE IFVJIDE3Mi4yNy4xOTguNjggKEJyb3dzZXIgR2VuZXJhdGVkKTAeFw0yNDA1MTcw MjQwNTNaFw0yNzAyMTEwMjQwNTNaMFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT b21lLVN0YXRlMTEwLwYDVQQKEyhMWEQgVUkgMTcyLjI3LjE5OC42OCAoQnJvd3Nl ciBHZW5lcmF0ZWQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsCdP 9waXL7lHWRdINqDdNd7SlYZbOO4UI8x0UagT0S9vzn+L0vHy6HMFw/nWPA/UXwPN XPuI8V5x9miL/n65aoVtqHA/C8ZmAfFeIi5Fk30g+lCMhedAgp7ZuKDQZ7jNWT1q 5Fk6AiV8m5nslX96YMsVrbizi+66G6lEjbi2RAJWPqye2/Ee78j5bd6t60r20Lso BQUinUuU92n03QErNHQnmNMoJAEWbbnlN81LRlSd1pKj1O2Yvl21OGkeLY+imMvx XnMF+OKAWsiQbIJNZ/4zMzMo644jkKeGfnztMm8hkRFdXedLCGYh4WBNbD3L8/JJ pPM9T+tcmZ8yUKQxLQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA7UVSgYdhFMBJL xN7FeUJT83D6R3KpcFc8U7Hyn/h+7e0o+9W55WGe1yiDvCLs0FReCKPahGvfimC8 k6cW0BlAttqU6Bo+aLQa4Wbp/QaN9rD5XAdNKu/DeXsCnsCwn4WHrwFg01i9oosU 6ozIlZ9tXCWvKQNwPKi7pjob8zBe7wYG5iLqJTF7wiKtE0nZVGYm69VNlcHzT6av 020k+AH83DMC+zxyxa/r6SCa9I/vuD9yMacCencl72CjUkia7P4+3lufv/hlLGD/ MAlSQrVstx53o3fWstwnRZNYQIzYSOaRyu4wWbdVhmhOf+NBu8PvowA9FQlHXDpa OAQhUjlm -----END CERTIFICATE----- fingerprint: ecea5a62d74c90cef055f360c37f599e9ef615ad4af98e62d1af96ea61ff80db

norbertoisaac commented 1 month ago

I miss the 's' in --projects

edlerd commented 1 month ago

Thank you for reaching out.

We do redirect to the dynamic default project, where the default is taken from the list of projects a user can see. For restricted users, this should only be the project with name "default", if they have access to it. I suspect there might be something off with this logic, and it will need a bit of testing to figure out what exactly. It might be a race with the project list not being loaded yet, and the redirect happening before, or something else.

Edit: I think your user does not have access to any project, at least that is what the output from lxc config trust show ecea5a62d74c suggests with the line projects: []. Was it due to the missing s as per your comment above, and everything works fine actually?

norbertoisaac commented 1 month ago

The issue i was posted because I was wrong in the command: it must be "--projects", my apologies. However, after correction and some operations as IAAS1000 restricted certificate, for example, launching a Debian12 container and a second Alpine3.20 container, the LXD-UI fail with all URLs /ui/project/IAAS1000/ redirecting to /ui/project/default/ excep with /ui/project/IAAS1000/images: Screenshot from 2024-05-31 09-33-45

/ui/project/IAAS1000/instances: Screenshot from 2024-05-31 09-33-19

# lxc config trust show ecea5a62d74c
name: IAAS1000.crt
type: client
restricted: true
projects:
- IAAS1000
certificate: |
  -----BEGIN CERTIFICATE-----
  MIIDMjCCAhqgAwIBAgIQASMGFwQyAAAkAAdwAAMUADANBgkqhkiG9w0BAQUFADBV
  MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTExMC8GA1UEChMoTFhE
  IFVJIDE3Mi4yNy4xOTguNjggKEJyb3dzZXIgR2VuZXJhdGVkKTAeFw0yNDA1MTcw
  MjQwNTNaFw0yNzAyMTEwMjQwNTNaMFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
  b21lLVN0YXRlMTEwLwYDVQQKEyhMWEQgVUkgMTcyLjI3LjE5OC42OCAoQnJvd3Nl
  ciBHZW5lcmF0ZWQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsCdP
  9waXL7lHWRdINqDdNd7SlYZbOO4UI8x0UagT0S9vzn+L0vHy6HMFw/nWPA/UXwPN
  XPuI8V5x9miL/n65aoVtqHA/C8ZmAfFeIi5Fk30g+lCMhedAgp7ZuKDQZ7jNWT1q
  5Fk6AiV8m5nslX96YMsVrbizi+66G6lEjbi2RAJWPqye2/Ee78j5bd6t60r20Lso
  BQUinUuU92n03QErNHQnmNMoJAEWbbnlN81LRlSd1pKj1O2Yvl21OGkeLY+imMvx
  XnMF+OKAWsiQbIJNZ/4zMzMo644jkKeGfnztMm8hkRFdXedLCGYh4WBNbD3L8/JJ
  pPM9T+tcmZ8yUKQxLQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQA7UVSgYdhFMBJL
  xN7FeUJT83D6R3KpcFc8U7Hyn/h+7e0o+9W55WGe1yiDvCLs0FReCKPahGvfimC8
  k6cW0BlAttqU6Bo+aLQa4Wbp/QaN9rD5XAdNKu/DeXsCnsCwn4WHrwFg01i9oosU
  6ozIlZ9tXCWvKQNwPKi7pjob8zBe7wYG5iLqJTF7wiKtE0nZVGYm69VNlcHzT6av
  020k+AH83DMC+zxyxa/r6SCa9I/vuD9yMacCencl72CjUkia7P4+3lufv/hlLGD/
  MAlSQrVstx53o3fWstwnRZNYQIzYSOaRyu4wWbdVhmhOf+NBu8PvowA9FQlHXDpa
  OAQhUjlm
  -----END CERTIFICATE-----
fingerprint: ecea5a62d74c90cef055f360c37f599e9ef615ad4af98e62d1af96ea61ff80db
edlerd commented 1 month ago

Thank you for commenting again. This is indeed a regression in LXD. I logged an issue to the backend for this problem at https://github.com/canonical/lxd/issues/13533