Root user in LXC container

LRP · April 8, 2024, 11:27pm

Just created my first LXD/LXC container. It opened as root.
— Does presume that all work in that container is in root account? Or should I create a user account.
Many thanks,
LRP

qkiel · April 9, 2024, 6:53am

For ubuntu containers, try this (change incus to lxc, if you’re using lxd):

incus exec <container_name> -- sudo --login --user ubuntu

Where ubuntu is the default user for ubuntu containers. These default users have UID 1000, so if you use other distros, you can check their name like this:

incus exec <container_name> -- getent passwd 1000 | cut -d: -f1

simos · April 9, 2024, 8:08am

The images for system containers and virtual machines may or may not have a default non-root user account. In most cases, they do have such a default non-root user account.

For the images:ubuntu/22.04 image, if you launch a container out of that, then the instance (i.e. the running container) does have a non-root account, with username ubuntu.

The equivalent Debian container image has a debian user account, the Alpine container image has a alpine user account, and so on.

Let’s have a look.

If you use --ephemeral, then when you stop the container, it will also be deleted automatically. This is useful for me when typing this post.
When you incus exec and the executed command has parameters (like --login), you need to figure out a way so that the incus command does not try to consume the parameter. The -- characters is a Unix shell convention so that the primary command (incus) will stop interpreting parameters, and pass the rest verbatim.

$ incus launch images:ubuntu/22.04 mycontainer --ephemeral
Launching mycontainer
$ incus exec mycontainer sh
# logout
$ incus exec mycontainer bash
root@mycontainer:~# pwd
/root
root@mycontainer:~# ls -l /home/
total 1
drwxr-x--- 2 ubuntu ubuntu 5 Apr  8 07:44 ubuntu
root@mycontainer:~# tail -1 /etc/passwd
ubuntu:x:1000:1000::/home/ubuntu:/bin/bash
root@mycontainer:~# logout
$ incus exec mycontainer sudo --login --user ubuntu
Error: unknown flag: --login
$ incus exec mycontainer -- sudo --login --user ubuntu
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@mycontainer:~$ pwd
/home/ubuntu
ubuntu@mycontainer:~$ logout
$ incus exec mycontainer -- su -l ubuntu
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@mycontainer:~$ logout
$ incus exec mycontainer -- su --login ubuntu
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

ubuntu@mycontainer:~$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),27(sudo)
ubuntu@mycontainer:~$ logout
$ incus stop mycontainer
$

LRP · April 9, 2024, 9:02pm

Thanks to all.

I’ve brought up the ubuntu user and created a new user account with adduser. But in both cases I got # on the CL prompt rather than expected $. Does this mean that these are privileged containers?

NOTE: I’m new to Linux containers so no doubt will have many questions. My goal is to build a cluster for hosting websites— but much much to learn.

LRP

simos · April 9, 2024, 9:25pm

Show us what command you use to get a shell into the container.

LRP · April 9, 2024, 9:47pm

lxc exec —- bash

LRP · April 9, 2024, 9:57pm

Ah— my bad.

I didn’t read Simos’s response carefully enough. Look’s like I need to install Incus rather than Canonical LXD.

LRP