`lxc` commands history feature

It would be very useful to have a lxc history same as the zfs zpool history.

I was searching my history file to find what a user have done to is container.

Unfortunate the bash history file has not been update for some reason.

Unlike ZFS, what is going on in the container is transparent to LXD. That is, when you run commands in a container, LXD is not involved at all.

A container is a process tree that is launched (or restarted) by LXD. When you run a command in a container, then that command is part of the process tree. I do not think it is fit for LXD to inspect the process tree and keep such history. You would rather use some other tool that specifically does this logging.

What is going on “In” the container is not relevant, but what is going on on the host mater, so I guess that the lxc command could be alter to save all successful operation inside a new database.

Let me know if you understand me, sorry my first language is french… :wink:

My program LXDMosaic will do this if you have recorded actions enabled,

you might be able to-do something with the events API but I haven’t done enough digging to see if you could “watch” for the level of detail you are looking for - for that reason it requires you to use the web interface to record the actions, I.E

*Please excuse the JSON output for the detail, there is alot of events to properly account for *

That just remember me to update my LXDMosaic !

I don’t mind the jason format.

I will test the new version soon

Ok, it now makes sense. I updated the title to "lxc commands history feature". I hope it is OK with you.

Indeed the lxc commands go through the LXD service, and LXD could keep a history of them per container. I did not notice a discussion on this on https://github.com/lxc/lxd/issues
I suggest to create an issue/feature at https://github.com/lxc/lxd/issues with title like Keep a history of lxc commands that ran for each container.
I do not know whether it will get implemented but it would be good to have it discussion on github.

This feature can also be implemented in the client as in LXDMosaic. It superficially looks more suitable to implement in a graphical client like LXDMosaic rather than in the lxc command. Because if it was to be implemented in the lxc command, it would better fit to implement in the LXD service.

We have lifecycle events for this. LXD doesn’t like keeping full records of things as that’s needless DB churn, but our lifecycle API is designed such that someone could write a small auditing bridge that records those events even for a large LXD cluster.

It’s worth noting that the data in those events isn’t very detailed though.
It will tell you that a container got created, started, stopped, config updated, snapshot/backup created, … but it won’t provide details on what was changed for example, mostly because LXD itself doesn’t know (the CLI provides a new config and we apply it by replacing the old one, we don’t have a diff).

absolutly ok with me.

What would me nice is typing lxc history and see the equivalent bash " history | grep lxc " but for all user. zfs have that feature in https://github.com/illumos/illumos-gate/blob/master/usr/src/uts/common/fs/zfs/spa_history.c

I will continue to investigate how to write a wrapper for the lxc command to record all action made with the command without calling api.

I still think that having this feature is a very big plus for oper-rationalizing lxd.

Doing that would require the command line commands to be sent to the server which isn’t how things work. A single lxc command may do a dozen API calls to the server, so there is no way to show all lxc BLAH done on the system.

That’s obviously different for ZFS where they have a single CLI tool that directly applies the changes, no API and so can have that CLI tool maintain a global log.

There is no need to know the back end command, only need to store the exact lxc command that was use.

Where would that be stored and by what?

Notting fancy

It coult be a simple /var/log/lxc.cmd.log or journalctl

lxc history could be an alias of cat or less /var/log/lxc.cmd.log

I do understand the complexity of the relation from the lxd client and the lxd server. So maybe the lxc commend can send the info using syslog. But that would also mean that a remote client cannot retreive the remote command send to the lxd server / syslog.

You can get this functionality already with some bash shell magic.

$  sudo touch /var/log/lxc.cmd.log
$ sudo chmod 777 /var/log/lxc.cmd.log
$ sudo chattr +a /var/log/lxc.cmd.log

Then, setup the shell so that the HISTFILE and other bash history environment variables are read-only.

readonly HISTFILE=/var/log/lxc.cmd.log

It took a will to get back :frowning:

Here is a solution that work with bash:

#### VARIABLE TO ADD TO .bashrc to make shure that all simultanous session
#### get able to write and not overwrite the user history

shopt -s histappend

        a=$(history 2 | sed 's/^ *[^ ]* *//' | cut -d$'\n' -f1);
        if [[ $a == "lxc"* ]]; then
                  if [[ "$a" != "$b" ]]; then
                                echo $a >> ~/lxc.cmd.log

## Assign execution of the lastcmd everytime you get a prompt from bash
export PROMPT_COMMAND=lastcmd

## make shure we run lastcmd after you press enter
trap lastcmd DEBUG