Hello,
Is there an elegant way to provide read-only access to the LXD API through the unix socket ?
I’m working on a collector to fetch the container’s performance statistics but I would not want to open wide access to the collector’s account by adding it to the LXD group.
Any suggestion ?
TIA,
Kind regards,
…Louis
Not right now, no.
We do have plans to add support for multiple users to LXD on top of which we’d then build an ACL layer that would effectively let you define a read-only user and map that either to a TLS certificate or a particular uid or gid for the unix socket.
But we’re probably at least a year away from having all this implemented (we’ll do this work incrementally).