Getting "Error: not authorized" when running lxc list with lxd-user

I have followed the instructions to allow “regular” users to run lxc commands, by doing

$ sudo snap set lxd daemon.user.group=users

When a user in the group users runs the command lxc list he is getting

$ lxc ls
Error: not authorized

Strange enough, I did the same on another system and there is simply worked without errors. I’ve checked everything over and over, but I cannot find what I did wrong.

How can I find out what is causing that error?

Can you try doing:

sudo systemctl reload snap.lxd.daemon

And see if that helps.

Hey @tomp
No, that didn’t help

Can you show output of id please

$ id
uid=1001(keesbtest) gid=1001(keesbtest) groups=1001(keesbtest),100(users)
$ sudo ls -lR /var/snap/lxd/common/lxd-user/
/var/snap/lxd/common/lxd-user/:
total 0
srw-rw----. 1 root users 0 31 aug 09:02 unix.socket
drwx------. 1 root root  8 30 aug 13:19 users

/var/snap/lxd/common/lxd-user/users:
total 0
drwx------. 1 root root 40 30 aug 13:19 1001

/var/snap/lxd/common/lxd-user/users/1001:
total 8
-rw-r--r--. 1 root root 717 30 aug 13:19 client.crt
-rw-------. 1 root root 288 30 aug 13:19 client.key

As an admin user (i.e accessing the main LXD unix socket) can you show lxc project list and lxc config trust list please.

As admin user

$ lxc project list
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
|       NAME        | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS |                  DESCRIPTION                   | USED BY |
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| default (current) | YES    | YES      | YES             | YES             | YES      | Default LXD project                            | 8       |
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| user-1001         | YES    | YES      | YES             | YES             | NO       | User restricted project for "keesbtest" (1001) | 1       |
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+

$ lxc config trust list
+--------+---------------+-------------------+--------------+-------------------------------+-------------------------------+
|  TYPE  |     NAME      |    COMMON NAME    | FINGERPRINT  |          ISSUE DATE           |          EXPIRY DATE          |
+--------+---------------+-------------------+--------------+-------------------------------+-------------------------------+
| client | lxd-user-1001 | root@moorsterbeek | f1093bae1cca | Aug 30, 2022 at 11:19am (UTC) | Aug 27, 2032 at 11:19am (UTC) |
+--------+---------------+-------------------+--------------+-------------------------------+-------------------------------+

BTW that “regular” user can also see his own project

$ lxc project list
+-----------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
|   NAME    | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS |                  DESCRIPTION                   | USED BY |
+-----------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| user-1001 | YES    | YES      | YES             | YES             | NO       | User restricted project for "keesbtest" (1001) | 1       |
+-----------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+

What if you do lxc list --project=user-1001 as the regular user?

Yes, that works.

So, after I did a switch, it now works as expected.

$ lxc project switch user-1001
$ lxc ls
+------+-------+------+------+------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+-------+------+------+------+-----------+

Strange enough, on some other PC this was not needed. There it worked out-of-the-box. Also, in Stephane’s video there was no mention of this. The switch might be done automatically, but not in all cases.

Great. So it sounds like the user socket isn’t setting the project automatically.

Any ideas @stgraber ?

The CLI will only setup the project as its default project if no pre-existing configuration exists.

You could check that this works by wiping the client config with rm -Rf ~/snap/lxd.

1 Like

Yes, that is correct.

So, it was my bad luck to try lxc commands before adding the user to the allowed user-group. Maybe a bad habit to first try the failure case :slight_smile: