Lxd from snap package - how to run unpriviliged containers?

I have installed lxd from a snap package on an ubuntu 14.04 server and executed an initial lxd init

apparently the lxd.lxc [command] commands require to be run with sudo.
So, are those containers created privileged ones by default? how would you run unprivileged containers with a snapped lxd?

First a quick note, the LXD snap should have automatically setup an alias from “lxc” to “lxd.lxc” so you don’t need to type “lxd.lxc” constantly :slight_smile:

LXD is a daemon and always runs as root, this is unrelated to privileged vs unprivileged containers where the difference is on whether root in the container is real root or not.

Anyone who can talk to LXD can create containers. By default those containers are unprivileged but it’s just a matter of setting security.privileged=true on a LXD container and restarting it to then have it be privileged.

LXD will allow members of the “lxd” group to interact with the daemon, this lets you give non-root users the ability to talk to LXD. Do note that this is pretty much equivalent to handing root access to those users since they can configure LXD to run privileged containers and pass any character/block device or disk path into them.

Anyway, to get this going with the snap package. Just create the group on your system with “groupadd --system lxd”, then add your user to the group and lastly, restart the LXD daemon with “systemctl restart snap.lxd.daemon.service”. The snap will detect that the group exists and pass “–group lxd” to the daemon which will have it allow connections from anyone who’s in the “lxd” group.

true, noticed that as well in the meantime, thank god[quote=“stgraber, post:2, topic:387”]
to get this going with the snap package. Just create the group on your system with “groupadd --system lxd”, then add your user to the group and lastly, restart the LXD daemon with systemctl restart snap.lxd.daemon.service. The snap will detect that the group exists and pass “–group lxd” to the daemon which will have it allow connections from anyone who’s in the “lxd” group.
[/quote]
ok. For now I get the same lxd group error after having followed that procedure though

sudo groupadd --system lxd
sudo usermod -aG lxd [username]
systemctl restart snap.lxd.daemon.service

will try whether restarting the server does any good to it

btw … isn’t it that the lxd group get’s created by lxd init with a ‘conventional’ (apt install) installation of lxd (at lease I can’t remember to have to create a ‘lxd’ group manually on any of the previous (conventional) trial’s I ran.

EDIT: stopping and restarting the lxd daemon a couple of times has now actually done the trick … thanks

P.S. I’m a bit puzzled that systemctl .... does anything on a 14.04 machine (which has no systemd, right?) at all

Maybe just something else I just don’t quite get yet :frowning:

The “lxd” group is created by the packaging script on a non-snap install. There are no equivalent to those scripts in the snap world (it’s considered to be one of its features) so we can’t have the lxd snap automatically create the group, or at least we can’t do this in a clean way :slight_smile:

snapd on Ubuntu 14.04 still uses systemd for the snaps. It’s running its own systemd instance just for that. The rest of your system will still be using upstart.

1 Like