LXC Interaction Flow with two Unprivileged Users

This may be asking explicitly for an anti-pattern, apologies if that is the case. Trying to get my head around an idea.

I have a use case where (in its simplest form) two unprivileged users would want to maintain (start/stop/attach) on a shared container.

The way this is handled now is clunky, basically one user is the “owner” of the container and lifecycles it (start/stop) and provides access to the other user via an ssh instance on the container.

Is it possible to create an unprivileged container as an unprivileged user in a way that another user can also see and interact with that container using the lxc commands?

If you are talking about LXD, containers don’t have an owner, as far as I know. All users who can use the lxc command can do everything the lxd command does. You can even run lxc commands remotely, by adding an LXD daemon to your remote list (lxc remote add), which means there is no local user involved. I use this remote capability and I run lxc commands both locally (on the system where LXD runs) and remotely, on the same containers.

If you are not talking about LXD but about the original LXC, then start using LXD.

I am talking about purely LXC rather than LXD. I understand the sentiment that LXD may solve this problem for me and I’ve had my eyes on it for a bit but was waiting for Debian packaging to sort out.

Is this type of interaction possible with just LXC?

I don’t know. I regret the time I spent reading about pure LXC (lxc- commands). I should have started directly with LXD. The recommended mechanism for installing LXD is via snapd, not Debian packaging.

For LXD, see RBAC and Candid authentication at https://lxd.readthedocs.io/en/latest/security/