LXD multi-user setup - Error: Failed instance creation: not authorized

Hello. I followed this guide Easy multi-user LXD setup - Desktop - Ubuntu Community Hub

But I am at my wits’ end here. So at first this was my normal LXD server, after install I configured and used it for few weeks. Later I tried converting it to multi user setup. First, I tried assigning daemon.user.group to “developer”, which is an LDAP group, then it’s ID, then local group. Rebooted after each time. No luck, the same issue all the time. Updating LXD from 5.0/stable to latest/stable did not help.

FYI I use encrypted brtfs volume. lxd2 is a local group, developer is LDAP group and it’s ID is 1074. For LDAP auth on local servers I use libnss-ldapd + libpam-ldapd.

FWIW I can still create containers with my local user which is in ‘lxd’ group.

$ sudo snap set lxd daemon.user.group=developer
$ sudo snap set lxd daemon.user.group=1074
$ sudo snap set lxd daemon.user.group=lxd2

# # with the affected user
$ lxc launch images:debian/bullseye/amd64 test4
Creating test4
Error: Failed instance creation: not authorized

$ groups | grep lxd2 | wc -l
1
$ getent group developer | grep 1074 | wc -l
1
$ groups | grep developer | wc -l
1

$ lxc project list
+-------------------+--------+----------+-----------------+-----------------+----------+-------------------------------------------------------+---------+
|       NAME        | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS |                      DESCRIPTION                      | USED BY |
+-------------------+--------+----------+-----------------+-----------------+----------+-------------------------------------------------------+---------+
| default (current) | YES    | YES      | YES             | YES             | YES      | Default LXD project                                   | 8       |
+-------------------+--------+----------+-----------------+-----------------+----------+-------------------------------------------------------+---------+
| user-1180         | YES    | YES      | YES             | YES             | NO       | User restricted project for "xxxxxxx" (1180) | 1       |
+-------------------+--------+----------+-----------------+-----------------+----------+-------------------------------------------------------+---------+
| user-1188         | YES    | YES      | YES             | YES             | NO       | User restricted project for "xxxxxx.xxxx" (1188)      | 1       |
+-------------------+--------+----------+-----------------+-----------------+----------+-------------------------------------------------------+---------+

$ lxc project show user-1188
config:
  features.images: "true"
  features.networks: "false"
  features.profiles: "true"
  features.storage.buckets: "true"
  features.storage.volumes: "true"
  restricted: "true"
  restricted.containers.nesting: allow
  restricted.devices.disk: allow
  restricted.devices.gpu: allow
  restricted.idmap.gid: "5000"
  restricted.idmap.uid: "1188"
description: User restricted project for "xxxxx" (1188)
name: user-1188
used_by:
- /1.0/profiles/default?project=user-1188

$ lxc config trust list
+--------+---------------+-------------+--------------+------------------------------+------------------------------+
|  TYPE  |     NAME      | COMMON NAME | FINGERPRINT  |          ISSUE DATE          |         EXPIRY DATE          |
+--------+---------------+-------------+--------------+------------------------------+------------------------------+
| client | lxd-user-1180 | root@lxd2   | 267963023ac3 | Oct 29, 2022 at 9:42pm (UTC) | Oct 26, 2032 at 9:42pm (UTC) |
+--------+---------------+-------------+--------------+------------------------------+------------------------------+
| client | lxd-user-1188 | root@lxd2   | f403a3fa31ab | Oct 29, 2022 at 8:07pm (UTC) | Oct 26, 2032 at 8:07pm (UTC) |
+--------+---------------+-------------+--------------+------------------------------+------------------------------+

lxc project list from that user?

Yes, that command works:

$ lxc project list
+-----------+--------+----------+-----------------+-----------------+----------+--------------------------------------------------+---------+
|   NAME    | IMAGES | PROFILES | STORAGE VOLUMES | STORAGE BUCKETS | NETWORKS |                   DESCRIPTION                    | USED BY |
+-----------+--------+----------+-----------------+-----------------+----------+--------------------------------------------------+---------+
| user-1188 | YES    | YES      | YES             | YES             | NO       | User restricted project for "xxxxx.xxxxx" (1188) | 1       |
+-----------+--------+----------+-----------------+-----------------+----------+--------------------------------------------------+---------+
$ lxc launch images:debian/bullseye/amd64 test2
Creating test2
Error: Failed instance creation: not authorized

Thanks for replying!

lxc project switch user-1188

It looks like that user had an lxc configuration prior to the lxd-user thing being setup, so it’s trying to get to your default project which it doesn’t have access to.

As a ‘lxd’ group user I can execute your command and list/create containers for that project.

As affected user if I run command lxc config show, command works but output is empty:

$ lxc config show
config: {}

What I have just realised, in your tutorial you do not run lxd init to configure the host. But I did, to configure network, internal DNS, storage, etc. Maybe that is why multi-user setup does not work for me?

Edit: This feature to to separate containers per user is a nice to have for me, but not a must. If there are limitations then I can probably skip on this feature, or create projects manually.

Hello. I tried setting up a test VM with LXD server. I skipped lxd init part and configured daemon.user.group.

Everything works as expected.

However, everything is configured with defaults.

I have few questions if possible to answer them please.

1. Does it mean that LXD got self initialised with defaults?
2. Should I be able to change those defaults to my own, like using brtfs storage as a default storage, and dhcp/dns for containers for lxdbr0 network?
3. As a result, should I skip lxd init for multi-user setup?

Thank you.

Ok in attempt to answer my own questions I have performed two tests. I installed two new VMs and installed LXD from snap.

But done two different things:

1. On first VM, I did not do lxd init and everything worked well.
   I did reconfigure storage and ended up with btrfs storage named ‘default’. Works for new users where default profile created to use ‘default’ storage. I did not try to re-configure lxdbr0 network. I just wanted to at least ensure the brtfs works and is not being an issue.

2. On second host, I did run lxd init answering mostly default, but choosing dir driver for storage. (also had to set trust password).
   then I ran sudo snap set lxd daemon.user.group=developer, rebooted host and have same issue like in this thread, other users in group “developer” cannot create containers.
   actually right now I cannot even use lxc

some.user@testlxd2:~$ lxc list
Error: Get "http://unix.socket/1.0": dial unix /var/snap/lxd/common/lxd/unix.socket: connect: permission denied

So it looks like I should have a fresh install and avoid lxd init, instead try to re-configure defaults?

Hi stgraber

Sorry I read your sentence again and I think I understood what you meant. On my affected system, I have logged in with the LDAP user and ran
lxc project ls
then switch to the project that should belong to me
lxc project switch user-1180
Then I was able to launch containers. So it appears to be working, but when yet another new user logs in, they will have same problem. Every developer will have to execute above 2 commands first time they login to lxd host. We can probably live with it, but if there is a possible way to fix this, please let me know, thank you. LXD latest/stable

Edit: it does not seem to affect my “test” environment where I skipped lxd init, and which also has LDAP users. Seems to be working fine there. It just looks like that the lxd init command does something different. LXD 5.0/stable