kees
(Kees Bakker)
August 31, 2022, 2:24pm
1
I have followed the instructions to allow “regular” users to run lxc commands, by doing
$ sudo snap set lxd daemon.user.group=users
When a user in the group users
runs the command lxc list
he is getting
$ lxc ls
Error: not authorized
Strange enough, I did the same on another system and there is simply worked without errors. I’ve checked everything over and over, but I cannot find what I did wrong.
How can I find out what is causing that error?
tomp
(Thomas Parrott)
August 31, 2022, 2:26pm
2
Can you try doing:
sudo systemctl reload snap.lxd.daemon
And see if that helps.
kees
(Kees Bakker)
August 31, 2022, 2:29pm
3
Hey @tomp
No, that didn’t help
tomp
(Thomas Parrott)
August 31, 2022, 2:47pm
4
Can you show output of id
please
kees
(Kees Bakker)
August 31, 2022, 2:55pm
5
$ id
uid=1001(keesbtest) gid=1001(keesbtest) groups=1001(keesbtest),100(users)
$ sudo ls -lR /var/snap/lxd/common/lxd-user/
/var/snap/lxd/common/lxd-user/:
total 0
srw-rw----. 1 root users 0 31 aug 09:02 unix.socket
drwx------. 1 root root 8 30 aug 13:19 users
/var/snap/lxd/common/lxd-user/users:
total 0
drwx------. 1 root root 40 30 aug 13:19 1001
/var/snap/lxd/common/lxd-user/users/1001:
total 8
-rw-r--r--. 1 root root 717 30 aug 13:19 client.crt
-rw-------. 1 root root 288 30 aug 13:19 client.key
tomp
(Thomas Parrott)
August 31, 2022, 2:57pm
6
As an admin user (i.e accessing the main LXD unix socket) can you show lxc project list
and lxc config trust list
please.
kees
(Kees Bakker)
August 31, 2022, 3:04pm
7
As admin user
$ lxc project list
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| NAME | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS | DESCRIPTION | USED BY |
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| default (current) | YES | YES | YES | YES | YES | Default LXD project | 8 |
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| user-1001 | YES | YES | YES | YES | NO | User restricted project for "keesbtest" (1001) | 1 |
+-------------------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
$ lxc config trust list
+--------+---------------+-------------------+--------------+-------------------------------+-------------------------------+
| TYPE | NAME | COMMON NAME | FINGERPRINT | ISSUE DATE | EXPIRY DATE |
+--------+---------------+-------------------+--------------+-------------------------------+-------------------------------+
| client | lxd-user-1001 | root@moorsterbeek | f1093bae1cca | Aug 30, 2022 at 11:19am (UTC) | Aug 27, 2032 at 11:19am (UTC) |
+--------+---------------+-------------------+--------------+-------------------------------+-------------------------------+
BTW that “regular” user can also see his own project
$ lxc project list
+-----------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| NAME | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS | DESCRIPTION | USED BY |
+-----------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
| user-1001 | YES | YES | YES | YES | NO | User restricted project for "keesbtest" (1001) | 1 |
+-----------+--------+----------+-----------------+-----------------+----------+------------------------------------------------+---------+
tomp
(Thomas Parrott)
August 31, 2022, 3:07pm
8
What if you do lxc list --project=user-1001
as the regular user?
kees
(Kees Bakker)
September 1, 2022, 7:14am
9
Yes, that works.
So, after I did a switch, it now works as expected.
$ lxc project switch user-1001
$ lxc ls
+------+-------+------+------+------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+-------+------+------+------+-----------+
Strange enough, on some other PC this was not needed. There it worked out-of-the-box. Also, in Stephane’s video there was no mention of this. The switch might be done automatically, but not in all cases.
tomp
(Thomas Parrott)
September 1, 2022, 7:22am
10
Great. So it sounds like the user socket isn’t setting the project automatically.
Any ideas @stgraber ?
stgraber
(Stéphane Graber)
September 1, 2022, 9:34am
11
The CLI will only setup the project as its default project if no pre-existing configuration exists.
You could check that this works by wiping the client config with rm -Rf ~/snap/lxd
.
1 Like
kees
(Kees Bakker)
September 1, 2022, 9:51am
12
Yes, that is correct.
So, it was my bad luck to try lxc
commands before adding the user to the allowed user-group. Maybe a bad habit to first try the failure case