I saw this video and how he use lxd to bypass sudo request for user password
https://youtube.com/watch?v=58-145bvu_8
And I want to secure my environment by make the lxc ask for root password when create container with root privileges
lxc launch images:ubuntu/bonic nameOfContainer -c security.privileged=true
or how to make it ask for root privileges for any change on security settings
If your non-root user account is a member of the lxd group, then this non-root user account is able to use the lxc client and perform all sorts of management tasks on the LXD server. Including the launching of containers with the security.privileged=true flag.
It is a known issue that the non-root user account that is a member of the lxd group, should be considered an administrator. The reason is that LXD is so versatile as a hypervisor that there should be many ways to get root in such ways. The security.privileged flag is the most straightforward way.
LXD supports Role-based Access Control (RBAC), although there is no (AFAIK) free RBAC service currently available. There is the Canonical RBAC, which you may be able to use for free for a limited number of LXD installations. See https://landscape.canonical.com/
All in all, if the above sound too complicated, you can just avoid using a non-root user account with the lxd group membership. If you do not have such an account, then you need to use sudo for every lxc command. Hence, you will be asked for a password.
We have some planned work to allow tying a specific client certificate to a limited set of projects and only giving them an operator role.
With this in place you would be able to create a project with restrictions and limits and then limit a user just to that project as well as preventing them from reconfiguring the protect.
I can see the restricted.* keys for LXD projects, https://linuxcontainers.org/lxd/docs/master/projects
Looking forward to seeing the results once all the pieces fall in place.