How to find out the LXC privilege?

Prcek · July 6, 2024, 10:21pm

Hi all,

I would like to find a way to know that LXC is running as privileged/unprivileged. It doesn’t seem to be possible to find out from incus info <name>

>incus info first

Name: first
Status: RUNNING
Type: container
Architecture: x86_64
PID: 15967
Created: 2024/07/06 23:58 CEST
Last Used: 2024/07/06 23:58 CEST

Resources:
...

For now, I am using output of echo "cat /proc/self/uid_map" | incus shell <name>

Thank you.

stgraber · July 7, 2024, 2:37am

incus config show --expanded first, if security.privileged is set to true, then it’s privileged, otherwise it’s not.

Prcek · July 7, 2024, 8:29pm

Ok, but no security. records here:

> incus config show --expanded first
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Ubuntu jammy amd64 (20240704_07:42)
  image.os: Ubuntu
  image.release: jammy
  image.serial: "20240704_07:42"
  image.type: squashfs
  image.variant: default
  volatile.base_image: 0b77ff338d78acd083690378108c1c4d5f7e9deeb041319ec4c034e472b8f3f3
  volatile.cloud-init.instance-id: 726d7fa6-3361-4e53-a291-fc89f7841aa1
  volatile.eth0.host_name: vetha1b6e8b7
  volatile.eth0.hwaddr: 00:16:3e:53:8a:a6
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 0801aa71-785c-4001-a634-32ca5f1c0737
  volatile.uuid.generation: 0801aa71-785c-4001-a634-32ca5f1c0737
devices:
  eth0:
    name: eth0
    network: incusbr0
    type: nic
  root:
    path: /
    pool: default
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

Running version:

> incus version
Client version: 6.0.1
Server version: 6.0.1

Instance named “first” is container of course, not VM.

stgraber · July 8, 2024, 4:08am

As I said, if it’s set to true, then it’s privileged. In your case, it’s not set, so it’s not privileged.

Prcek · July 8, 2024, 9:41am

So security.privileged is not mandatory record. Now I understand. Thank you.

simos · July 8, 2024, 10:17am

Also, the default when creating containers in Incus is unprivileged.

If you want to create a privileged container, you need to explicitly specify it in the command line, or perhaps use an Incus profile that enables it.

stgraber · July 8, 2024, 3:00pm

Right, its default value is false.