feat: Add LXD Container Management REST API Integration

[zhravan]

Issue

Link to related issue(s):

---

Description

This PR introduces REST API integration for LXD container lifecycle management. The implementation provides HTTP endpoints for comprehensive container operations including creation, listing, retrieval, starting, stopping, restarting, and deletion of LXD container instances.

Key additions:

• Complete LXD container lifecycle management via REST API
• Configuration options for LXD integration (socket path, project selection, operation timeout)
• Go toolchain upgrade to version 1.25.3
• Updated dependencies including gRPC, cryptography, and networking libraries

---

Scope of Change

Select all applicable areas impacted by this PR:

• API
• Infra / Deployment
• View (UI/UX)
• CLI
• Docs
• Other (specify): ________

---

Screenshot / Video / GIF (if applicable)

Attach or embed screenshots, screen recordings, or GIFs demonstrating the feature or fix.

---

Related PRs (if any)

Link any related or dependent PRs across repos.

---

Additional Notes for Reviewers (optional)

Anything reviewers should know before testing or merging (e.g., environment variables, setup steps).

---

Developer Checklist

To be completed by the developer who raised the PR.

• Add valid/relevant title for the PR
• Self-review done
• Manual dev testing done
• No secrets exposed
• No merge conflicts
• Docs added/updated (if applicable)
• Removed debug prints / secrets / sensitive data
• Unit / Integration tests passing
• Follows all standards defined in Nixopus Docs

---

Reviewer Checklist

To be completed by the reviewer before merge.

• Peer review done
• No console.logs / fmt.prints left
• No secrets exposed
• If any DB migrations, migration changes are verified
• Verified release changes are production-ready

Summary by CodeRabbit

• New Features

  • LXD container lifecycle API: create, list, get, start, stop, restart, delete, and bulk delete endpoints.
  • Installer option to optionally install/initialize LXD during setup.

• Chores

  • Updated Go toolchain and many dependencies.
  • Added LXD configuration options and environment variables; Docker Compose now exposes the LXD socket.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Adds LXD support: new LXD config and env bindings, ClientService implementing LXD operations (local and remote), HTTP controller and routes for LXD lifecycle, CLI install option to optionally install LXD, docker socket mounts, and Go module dependency bumps; logging switches to internal logger.

Changes

Cohort / File(s)	Summary
Go module / deps api/go.mod	Bump Go toolchain and update/add direct & indirect dependencies (canonical/lxd, go-playground/validator/v10, go-jose v4, otel, x/*, grpc, jwt, etc.).
Config types api/internal/types/types.go	Add LXDConfig type and new LXD field on Config.
Config init / logging api/internal/config/config.go	Replace stdlib prints with internal logger, add LXD env var bindings, conditional LXD validation, and logger-based config file load messages.
LXD service implementation api/internal/features/lxd/service/service.go	New Service interface and ClientService implementing Create/List/Get/Start/Stop/Restart/Delete/DeleteAll, local (unix socket) and remote (https) connection logic, TLS/trust handling, operation waiting and timeouts, and device mapping.
LXD controller (ctor + handlers) api/internal/features/lxd/controller/init.go, api/internal/features/lxd/controller/controller.go	New Controller type with NewController constructor and HTTP handlers for Create/List/Get/Start/Stop/Restart/Delete/DeleteAll using per-request timeout contexts and standardized JSON responses.
LXD request & server types api/internal/features/lxd/types/init.go	Add ServerConfig, request types (CreateRequest, ListRequest, GetRequest, StartRequest, StopRequest, RestartRequest, DeleteRequest, DeleteAllRequest), ToLXDConfig conversion, and errors (ErrMissingName, ErrMissingImageAlias).
Routing integration api/internal/routes.go	Conditional initialization of LXD service/controller when enabled, lxdServiceNew/lxdControllerNew factories, and LXDRoutes registered under /lxd with RBAC & Audit middleware.
Docker Compose docker-compose.yml, docker-compose-staging.yml	Mount host LXD unix socket into api service containers.
Dev / Prod helper configs helpers/config.dev.yaml, helpers/config.prod.yaml	Add LXD environment variables (LXD_ENABLED, LXD_SOCKET_PATH, LXD_PROJECT, LXD_OPERATION_TIMEOUT_SECONDS, LXD_REMOTE_ADDRESS, LXD_PROTOCOL, LXD_TRUST_PASSWORD, LXD_INSECURE_SKIP_VERIFY); minor YAML formatting fix.
CLI install command cli/app/commands/install/command.py	Add repo/branch options and --include-lxd boolean option; forward these to Install.
CLI install flow cli/app/commands/install/run.py	Add include_lxd flag to Install, persist user config, add _install_lxd_if_enabled best-effort LXD installation step (Linux-only, dry-run support), and set LXD_ENABLED env when requested.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Client as HTTP Client
    participant Ctrl as LXD Controller
    participant Svc as LXD ClientService
    participant LXD as LXD Daemon

    Client->>Ctrl: HTTP /lxd/... (Create/List/Get/Start/Stop/...)
    activate Ctrl
    Ctrl->>Ctrl: parse input & create timeout ctx
    Ctrl->>Svc: call operation(ctx, ... )
    deactivate Ctrl

    activate Svc
    alt local (unix socket) or remote (https)
        Svc->>LXD: connect (socket or TLS) and send request
    end
    LXD-->>Svc: operation response / op reference
    Svc->>Svc: waitOp(ctx) / poll until done or timeout
    deactivate Svc

    Svc-->>Ctrl: result or error
    Ctrl->>Client: JSON response {status, data/message}

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Focus areas:
  • api/internal/features/lxd/service/service.go — connection logic (local vs remote), TLS/trust handling, waitOp correctness, timeout behavior, device mapping.
  • api/internal/features/lxd/controller/controller.go — per-request context/timeouts and HTTP error mapping.
  • api/internal/config/config.go — new logger usage and env bindings.
  • cli/app/commands/install/run.py — _install_lxd_if_enabled safety (dry-run) and platform checks.

Possibly related PRs

• feat: integration of viper configuration management in api #311 — Prior config/viper changes touching api/internal/config/config.go and api/internal/types/types.go; relevant to new LXDConfig additions.
• feat: install with different branches / forked repositories #391 — Earlier changes to the install CLI; overlaps with modified install callback and Install constructor signatures.
• feat: extensions #430 — Another routes addition that modified Router.Routes(); related to route-group wiring patterns.

Suggested labels

nixopus-api, nixopus-docker

Poem

🐰 I nudged a socket, soft and neat,
I taught the daemon how to greet,
Configs and routes now hop in line,
CLI plants seeds, containers shine. 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 35.29% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: Add LXD Container Management REST API Integration' directly and clearly summarizes the main change: adding LXD container management functionality via REST API, which is the primary focus across all modified files.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[zhravan]

@coderabbitai: Add summary and title please

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

@zhravan, I'll help you add a better title and summary to the PR.

---

🏁 Script executed:

#!/bin/bash

# Craft a better PR title and description
PR_TITLE="feat: Add LXD Container Management REST API Integration"

PR_BODY="#### Issue
_Link to related issue(s):_  

---

#### Description
This PR introduces REST API integration for LXD container lifecycle management. The implementation provides HTTP endpoints for comprehensive container operations including creation, listing, retrieval, starting, stopping, restarting, and deletion of LXD container instances.

Key additions:
- Complete LXD container lifecycle management via REST API
- Configuration options for LXD integration (socket path, project selection, operation timeout)
- Go toolchain upgrade to version 1.25.3
- Updated dependencies including gRPC, cryptography, and networking libraries

---

#### Scope of Change
_Select all applicable areas impacted by this PR:_

- [x] API
- [x] Infra / Deployment
- [ ] View (UI/UX)
- [ ] CLI
- [ ] Docs
- [ ] Other (specify): ________

---

#### Screenshot / Video / GIF (if applicable)
_Attach or embed screenshots, screen recordings, or GIFs demonstrating the feature or fix._

---

#### Related PRs (if any)
_Link any related or dependent PRs across repos._

---

#### Additional Notes for Reviewers (optional)
_Anything reviewers should know before testing or merging (e.g., environment variables, setup steps)._

---

#### Developer Checklist
_To be completed by the developer who raised the PR._

- [x] Add valid/relevant title for the PR
- [ ] Self-review done  
- [ ] Manual dev testing done  
- [ ] No secrets exposed  
- [ ] No merge conflicts  
- [ ] Docs added/updated (if applicable)  
- [ ] Removed debug prints / secrets / sensitive data  
- [ ] Unit / Integration tests passing  
- [ ] Follows all standards defined in **Nixopus Docs**

---

#### Reviewer Checklist
_To be completed by the reviewer before merge._

- [ ] Peer review done  
- [ ] No console.logs / fmt.prints left  
- [ ] No secrets exposed  
- [ ] If any DB migrations, migration changes are verified
- [ ] Verified release changes are production-ready



<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

* **New Features**
  * Added LXD container lifecycle management with new HTTP endpoints for creating, listing, retrieving, starting, stopping, restarting, and deleting container instances.
  * Added LXD integration configuration options including socket path, project selection, and operation timeout customization.

* **Chores**
  * Updated Go toolchain to version 1.25.3.
  * Updated multiple dependencies including gRPC, cryptography, and networking libraries for stability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->"

# Update the PR title and body
gh pr edit 511 --title "$PR_TITLE" --body "$PR_BODY"

Length of output: 46

---

@zhravan, I've successfully updated the PR!

New Title:
feat: Add LXD Container Management REST API Integration

Summary Added:
The description now includes:

• Comprehensive overview of the LXD container lifecycle management REST API
• Key additions listing all major features and updates
• Filled in the "Scope of Change" section (API and Infra/Deployment checked)
• Marked the "Add valid/relevant title for the PR" checkbox as complete

The PR is now ready with a clear, professional title and detailed description that accurately reflects the changes introduced.

[raghavyuva]

LGTM! minor changes

[zhravan]

LXD installation setup via API

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

cli/app/commands/install/run.py (1)

519-559: Previous review issues remain unaddressed.

The implementation still contains all the critical and major issues identified in earlier reviews:

1. Security risk (line 551): shell=True is a security anti-pattern; use list-form args.
2. Critical bug (line 529): $USER under sudo expands to "root", not the invoking user; use SUDO_USER env var or getpass.getuser().
3. Missing validation: No check that snap exists before attempting installation; use HostInformation.command_exists("snap").
4. Compatibility (line 534): zfs driver requires kernel modules often unavailable; default to dir for portability.
5. Hang risk: No timeouts on subprocess calls—can block indefinitely if prompts appear.
6. Poor error handling (lines 552-553, 557-558): Generic Exception masks actual error types; catch subprocess.CalledProcessError and subprocess.TimeoutExpired.
7. Permission race (line 555): Running lxd init without sudo will fail due to group-membership race; use sudo lxd init --preseed.
8. No feedback: Return codes and preseed success are not checked or logged.

The comprehensive fixes suggested in the past review comments should be applied.

🧹 Nitpick comments (1)

cli/app/commands/install/run.py (1)

486-489: Minor: Use direct attribute access for consistency.

Using getattr(self, "include_lxd", False) is unnecessarily defensive since include_lxd is always set in __init__ (line 116). Direct access with self.include_lxd (as used on line 520) would be clearer and more consistent.

-        if getattr(self, "include_lxd", False):
+        if self.include_lxd:
             if "LXD_ENABLED" in updated_env:
                 updated_env["LXD_ENABLED"] = "true"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fb8880a and 7656142.

📒 Files selected for processing (4)

• cli/app/commands/install/command.py (2 hunks)
• cli/app/commands/install/run.py (5 hunks)
• docker-compose.yml (1 hunks)
• helpers/config.dev.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• helpers/config.dev.yaml
• docker-compose.yml
• cli/app/commands/install/command.py

🧰 Additional context used

🧬 Code graph analysis (1)

cli/app/commands/install/run.py (2)

cli/app/utils/lib.py (2)

• HostInformation (61-91)
• get_os_name (63-64)

cli/tests/commands/preflight/test_deps.py (2)

• warning (40-41)
• info (37-38)

🔇 Additional comments (2)

cli/app/commands/install/run.py (2)

104-104: LGTM: Clean parameter addition.

The include_lxd parameter follows the existing pattern for optional flags and defaults appropriately to False for opt-in behavior.

Also applies to: 116-116

---

185-185: LGTM: Appropriate placement in installation flow.

The LXD installation step is positioned sensibly after SSH setup and before starting services. The "(optional)" label clearly indicates its opt-in nature.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

cli/app/commands/install/run.py (1)

510-550: Critical security and reliability issues remain unaddressed

The _install_lxd_if_enabled method still contains all the security and reliability issues comprehensively identified in the previous reviews above:

• Security: shell=True (line 542) is a security anti-pattern
• User targeting: $USER under sudo (line 520) may modify the wrong user
• Missing validation: No check for snap availability before attempting installation
• Error handling: Generic Exception catching (lines 543-544, 548-549) instead of subprocess.CalledProcessError
• Portability: Hardcoded zfs driver (line 525) unavailable on many systems
• Reliability: No timeout on p.communicate() (line 547), no return code validation, and lxd init runs without sudo despite requiring group membership

Please implement the comprehensive fixes provided in the previous review comments. The suggested approach includes:

• Validating snap exists before proceeding
• Using list-form subprocess calls instead of shell=True
• Using getpass.getuser() or SUDO_USER for correct user targeting
• Using the portable dir storage driver instead of zfs
• Adding timeouts and proper error handling
• Running lxd init --preseed with sudo

🧹 Nitpick comments (1)

cli/app/commands/install/run.py (1)

477-480: Optional: Simplify attribute access

The getattr(self, "include_lxd", False) is unnecessary since include_lxd is always set in __init__ (line 90). You can simplify to self.include_lxd.

Apply this diff:

-        if getattr(self, "include_lxd", False):
+        if self.include_lxd:
             if "LXD_ENABLED" in updated_env:
                 updated_env["LXD_ENABLED"] = "true"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 719c0ad and 9f189b8.

📒 Files selected for processing (2)

• cli/app/commands/install/command.py (3 hunks)
• cli/app/commands/install/run.py (5 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• cli/app/commands/install/command.py

🧰 Additional context used

🧬 Code graph analysis (1)

cli/app/commands/install/run.py (3)

cli/app/utils/config.py (1)

• load_user_config (30-36)

cli/app/utils/lib.py (2)

• HostInformation (61-91)
• get_os_name (63-64)

cli/tests/commands/preflight/test_deps.py (2)

• warning (40-41)
• info (37-38)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build-and-package-macos (macos-13)

🔇 Additional comments (2)

cli/app/commands/install/run.py (2)

77-77: LGTM: Clean parameter addition

The include_lxd parameter follows the existing pattern and defaults to False for backward compatibility. Storing _user_config (line 91) is also a reasonable addition.

Also applies to: 90-91

---

175-175: LGTM: Installation step properly positioned

The LXD installation step is correctly placed after SSH setup and before starting services, and is clearly labeled as optional.