I’m using LXD for some time on my machine and it rocks! I’m currently looking for a solution to give ordinary users access to containers via the lxc(1) command. The users should not be allowed to create new containers, re-configure existing containers, etc. Everything that might elevate their rights inside the hypervisor system should be not allowed. I’ve created the following sudo(8) dropin for ‘/etc/sudoers.d/’:
Cmnd_Alias LXC_START = /var/lib/snapd/snap/bin/lxc start *, /usr/bin/lxc start * Cmnd_Alias LXC_STOP = /var/lib/snapd/snap/bin/lxc stop *, /usr/bin/lxc stop * Cmnd_Alias LXC_RESTART = /var/lib/snapd/snap/bin/lxc restart *, /usr/bin/lxc restart * Cmnd_Alias LXC_SNAPSHOT = /var/lib/snapd/snap/bin/lxc snapshot *, /usr/bin/lxc snapshot * Cmnd_Alias LXC_PAUSE = /var/lib/snapd/snap/bin/lxc pause *, /usr/bin/lxc pause * Cmnd_Alias LXC_INFO = /var/lib/snapd/snap/bin/lxc info*, /usr/bin/lxc info* Cmnd_Alias LXC_LIST = /var/lib/snapd/snap/bin/lxc list*, /usr/bin/lxc list* Cmnd_Alias LXC_EXEC = /var/lib/snapd/snap/bin/lxc exec *, /usr/bin/lxc exec * Cmnd_Alias LXC_FILE = /var/lib/snapd/snap/bin/lxc file push, /usr/bin/lxc file push * %lxd-user ALL = NOPASSWD: LXC_START, LXC_STOP, LXC_RESTART, LXC_SNAPSHOT, LXC_PAUSE, LXC_INFO, LXC_LIST, LXC_EXEC, LXC_FILE
Is this sufficient restrictive or am I missing something here?