Why join a node to a cluster requires root privileges?

LXD
1

Hi all,
I’m installing a three node lxd cluster on three KVM virtual machines.

All machines host and guests ue Kubuntu 18.04 updated today.

The three nodes use lxd 3.13 installed from snap

on all three nodes a normal user (im my case sysop), belonging to the lxd group, can issue lxd/lxc commands

On the first VM I can create the first node using the normal yuser

Bu on the second node the normal user cannot do the lxd init command because I receive an error stating that root privileges are required:

sysop@kvmnode2:/var/zdata$ lxd init
Would you like to use LXD clustering? (yes/no) [default=no]: yes
What name should be used to identify this node in the cluster? [default=kvmnode2]:
What IP address or DNS name should be used to reach this node? [default=192.168.202.12]: 192.168.201.12
Are you joining an existing cluster? (yes/no) [default=no]: yes
IP address or FQDN of an existing cluster node: 192.168.201.11
Cluster fingerprint: 1670f8d8ad92e05150297f03ddedd319eb66a7d1224fe7dcbe3b11a630afce67
You can validate this fingerprint by running “lxc info” locally on an existing node.
Is this the correct fingerprint? (yes/no) [default=no]: yes
Cluster trust password:
Error: Joining an existing cluster requires root privileges
sysop@kvmnode2:/var/zdata$

Is this the expected behaviour or it is a bug?

2

This is expected behaviour, in the sense that lxd init should always run with sudo.
It is the lxc commands that do not need sudo and it is frowned upon if you sudo them (probably that is just me).

lxd init performs tasks like creating networks which require root privileges. If you are an expert in LXD, you may figure out a setup that will work without sudo. But in most cases, you need the sudo.
The most important issue with having sudo, is that lxd init performs setup steps serially. If one step is performed and the next fails, you do not get the first step undone.

3

lxd init can be run without sudo in most setups these days as it’s just a normal API client.

The one exception is indeed for clustering as the lxd init command needs to read the server’s certificate and key to directly communicate with the existing cluster.

That’s why you’re only getting an error when asking to setup a cluster.

4

@stgraber am running the lxd init without sudo but it asks for root privileges?