Incus exec command with user belonging to multiple groups


Been trying my luck with amazing incus project :wink:

I have created a VM and a user within that VM. I added that user to multiple groups.

I use exec to directly log into the VM for that user as show below

incus exec vm01 --user 1001 --cwd /home/okr --env 'HOME=/home/okr' bash

However, when I run groups command, it shows only one group that is root.

So I changed the command to this instead:

incus exec vm01 --user 1001 --group 1001 --cwd /home/okr --env 'HOME=/home/okr' bash

This now logs me with the same group as the user, however this user is a member of other groups as well. I tried adding multiple --group entries, but it does not work.

Is it possible to achieve this? That is, if the user is a member of N groups then groups command should give me N results.

Thanks a ton!

Welcome to the Incus support forum!

When you run incus exec, you run a command in the instance. That command could be an interactive shell. I think that what you are looking for, is a login shell.

I am not sure how to achieve that with just incus exec parameters. We have been doing this using features of the instance to launch such a login shell.

Using su -l

$ incus exec mydebian -- su -l debian

Using sudo --login --user xyz

$ incus exec mydebian -- sudo --login --user debian

Using incus shell

incus shell is an internal alias in Incus. Yes, Incus has command aliases with incus alias and one of them is internal, built-in into the incus client. It does a su -l as above. The alias does not specify a user account, therefore you su -l to root.

You would select which command is your preferred command to get a shell into an Incus instance, and then write a incus alias that will let you get a shell without supplying all the parameters.

1 Like

liblxc’s attach logic doesn’t provide a way to seed the setgroups list, so additional groups cannot be specified.

As @simos mentioned, your best bet is to instead use something like su inside of the container to go through the container’s PAM stack and apply the groups listed in /etc/groups for your user

1 Like

This is it, thanks :smile: