Getting "Error: not authorized" when running lxc list with lxd-user

kees · August 31, 2022, 2:24pm

I have followed the instructions to allow “regular” users to run lxc commands, by doing

$ sudo snap set lxd daemon.user.group=users

When a user in the group users runs the command lxc list he is getting

$ lxc ls
Error: not authorized

Strange enough, I did the same on another system and there is simply worked without errors. I’ve checked everything over and over, but I cannot find what I did wrong.

How can I find out what is causing that error?

tomp · August 31, 2022, 2:26pm

Can you try doing:

sudo systemctl reload snap.lxd.daemon

And see if that helps.

kees · August 31, 2022, 2:29pm

Hey @tomp
No, that didn’t help

tomp · August 31, 2022, 2:47pm

Can you show output of id please

kees · August 31, 2022, 2:55pm

$ id
uid=1001(keesbtest) gid=1001(keesbtest) groups=1001(keesbtest),100(users)
$ sudo ls -lR /var/snap/lxd/common/lxd-user/
/var/snap/lxd/common/lxd-user/:
total 0
srw-rw----. 1 root users 0 31 aug 09:02 unix.socket
drwx------. 1 root root  8 30 aug 13:19 users

/var/snap/lxd/common/lxd-user/users:
total 0
drwx------. 1 root root 40 30 aug 13:19 1001

/var/snap/lxd/common/lxd-user/users/1001:
total 8
-rw-r--r--. 1 root root 717 30 aug 13:19 client.crt
-rw-------. 1 root root 288 30 aug 13:19 client.key

tomp · August 31, 2022, 2:57pm

As an admin user (i.e accessing the main LXD unix socket) can you show lxc project list and lxc config trust list please.

kees · August 31, 2022, 3:04pm

As admin user

$ lxc project list
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
|       NAME        | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS |                  DESCRIPTION                   | USED BY |
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| default (current) | YES    | YES      | YES             | YES             | YES      | Default LXD project                            | 8       |
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| user-1001         | YES    | YES      | YES             | YES             | NO       | User restricted project for "keesbtest" (1001) | 1       |
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+

$ lxc config trust list
+--------+---------------+-------------------+--------------+-------------------------------+-------------------------------+
|  TYPE  |     NAME      |    COMMON NAME    | FINGERPRINT  |          ISSUE DATE           |          EXPIRY DATE          |
+--------+---------------+-------------------+--------------+-------------------------------+-------------------------------+
| client | lxd-user-1001 | root@moorsterbeek | f1093bae1cca | Aug 30, 2022 at 11:19am (UTC) | Aug 27, 2032 at 11:19am (UTC) |
+--------+---------------+-------------------+--------------+-------------------------------+-------------------------------+

BTW that “regular” user can also see his own project

$ lxc project list
+-----------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
|   NAME    | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS |                  DESCRIPTION                   | USED BY |
+-----------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| user-1001 | YES    | YES      | YES             | YES             | NO       | User restricted project for "keesbtest" (1001) | 1       |
+-----------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+

tomp · August 31, 2022, 3:07pm

What if you do lxc list --project=user-1001 as the regular user?

kees · September 1, 2022, 7:14am

Yes, that works.

So, after I did a switch, it now works as expected.

$ lxc project switch user-1001
$ lxc ls
+------+-------+------+------+------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+-------+------+------+------+-----------+

Strange enough, on some other PC this was not needed. There it worked out-of-the-box. Also, in Stephane’s video there was no mention of this. The switch might be done automatically, but not in all cases.

tomp · September 1, 2022, 7:22am

Great. So it sounds like the user socket isn’t setting the project automatically.

Any ideas @stgraber ?

stgraber · September 1, 2022, 9:34am

The CLI will only setup the project as its default project if no pre-existing configuration exists.

You could check that this works by wiping the client config with rm -Rf ~/snap/lxd.

kees · September 1, 2022, 9:51am

Yes, that is correct.

So, it was my bad luck to try lxc commands before adding the user to the allowed user-group. Maybe a bad habit to first try the failure case