instance.save() tries and fails to modify volatile key in restricted project

[p-ouellette]

Create a restricted project with restricted.idmap.uid configured to allow setting raw.idmap:

lxc project create testproj -c restricted=true -c restricted.idmap.uid=1000
lxc profile show default | lxc profile edit default --project testproj
lxc init ubuntu:22.04 u1 --project testproj

Run the following python script:

import pylxd
client = pylxd.Client(project="testproj")
c = client.containers.get("u1")
c.config["raw.idmap"] = "uid 1000 1000"
c.save(wait=True)
# Uncommenting the following line fixes the error
# c = client.containers.get("u1")
c.save(wait=True)

Output:

Traceback (most recent call last):
  File "/tmp/test.py", line 7, in <module>
    c.save(wait=True)
  File "/tmp/.venv/lib/python3.10/site-packages/pylxd/models/_model.py", line 222, in save
    response = self.api.put(json=marshalled)
  File "/tmp/.venv/lib/python3.10/site-packages/pylxd/client.py", line 229, in put
    self._assert_response(response, allowed_status_codes=(200, 202))
  File "/tmp/.venv/lib/python3.10/site-packages/pylxd/client.py", line 145, in _assert_response
    raise exceptions.LXDAPIException(response)
pylxd.exceptions.LXDAPIException: Changing "volatile.idmap.next" on container "u1" in project "testproj" is forbidden

The issue seems to be that the second save sends an outdated value for volatile.idmap.next. Re-fetching the instance state fixes this.

[p-ouellette]

I've also gotten a similar error when adding a device. As a workaround I'm calling instance.rollback() before updating and saving the configuration.