One nifty new feature of the newly released LXD 4.22 is the ability for regular users to safely interact with LXD.
Until now, LXD has suffered from much the same issue as the likes of Docker and Libvirt in indirectly granting full root access to anyone who’s allowed to interact with it. This was possible through a number of different options (device passthrough, privileged container, custom ID maps, …). While not a problem on a developer’s laptop, it’s a no-go for most shared environments, especially in a corporate setting.
Over the years, LXD has grown support for proper remote authentication, fancy access control (RBAC) and projects as ways to restrict specific users to a subset of LXD’s features so multiple people can safely share a LXD server or cluster.
With LXD 4.22, this is now all doable locally with normal local users making it a great fit for desktop systems, especially multi-users desktop in a corporate environment.
Here is an overview of the feature from our release live stream:
https://www.youtube.com/watch?v=Blx7cdygiS8&t=848s
For those who aren’t into video watching, the instructions basically are:
snap install lxd
snap set lxd daemon.user.group=users
With that done, any user in the users
group will be allowed to interact with LXD despite not being in the all-powerful lxd
group.
The first time one such user interacts with LXD, they will automatically get their own restricted project which will look like this:
foo@v1:~$ lxc project list
+---------------------+--------+----------+-----------------+----------+------------------------------------------+---------+
| NAME | IMAGES | PROFILES | STORAGE VOLUMES | NETWORKS | DESCRIPTION | USED BY |
+---------------------+--------+----------+-----------------+----------+------------------------------------------+---------+
| user-1001 (current) | YES | YES | YES | NO | User restricted project for "foo" (1001) | 3 |
+---------------------+--------+----------+-----------------+----------+------------------------------------------+---------+
foo@v1:~$ lxc project show user-1001
config:
features.images: "true"
features.networks: "false"
features.profiles: "true"
features.storage.volumes: "true"
restricted: "true"
restricted.containers.nesting: allow
restricted.devices.disk: allow
restricted.devices.disk.paths: /home/foo
restricted.devices.gpu: allow
restricted.idmap.gid: "1003"
restricted.idmap.uid: "1001"
description: User restricted project for "foo" (1001)
name: user-1001
used_by:
- /1.0/instances/welcome-earwig?project=user-1001
- /1.0/images/ced57a80f2b761c3cdab867c2296b801c6adfe521f811bacdd61410da4bc2734?project=user-1001
- /1.0/profiles/default?project=user-1001
Which in practice allows the user to just do:
foo@v1:~$ lxc launch ubuntu:20.04
Creating the instance
Instance name is: welcome-earwig
Starting welcome-earwig
foo@v1:~$ lxc list
+----------------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+----------------+---------+---------------------+-----------------------------------------------+-----------+-----------+
| welcome-earwig | RUNNING | 10.31.36.109 (eth0) | fd42:fa4a:d38d:1c7b:216:3eff:fed1:63aa (eth0) | CONTAINER | 0 |
+----------------+---------+---------------------+-----------------------------------------------+-----------+-----------+
And get a container, or virtual machine, running immediately, with no configuration and without ever having needed any kind of elevated privileges.
Should that user try to create a privileged container, pass in paths outside of their home directory or do any device passthrough other than GPUs, it will be rejected by LXD.
Login as another user on the system and you’ll get the exact same behavior, every user gets their own personal project and can’t see the others. Well, unless they are part of the lxd
group, then they can see everything going on on the system.
We’re hoping that this feature can be used to provide experiences similar to that of WSL on Windows or Crostini on ChromeOS where getting containers going is just a few clicks away and the main system remains nice and safe.
Enjoy!