Skip to content

ADR 0003: LXD Project Multi-Tenancy

Status

Accepted

Context

The platform allows multiple users to deploy containers and virtual machines. We must ensure absolute multi-tenancy: users must not be able to view, stop, delete, or inspect instances belonging to other tenants.

Decision

We leverage hypervisor-native LXD Projects for multi-tenancy. 1. The Proxy Server derives a user project name u-${user.sub} using the OIDC subject ID. 2. If the project does not exist on the LXD Host, the gateway invokes the LXD REST API to create the project with restricted default profiles (ovn-net and local-pool). 3. The API Gateway forwards LXD requests to the LXD daemon appending ?project=u-${userId} to the endpoint path.

Consequences

  • Pros: Tenant segregation is enforced by the LXD hypervisor; users cannot view other tenant's resources even if they intercept API calls; minimal database modeling needed for tenancy.
  • Cons: Direct integration with LXD OVN network bridges is required; operations are slightly slower due to dynamic project and profile initialization.