Setting up a secure shared development environment with LXD
Tags: Development , LXD
The past month has been exciting, with both LXD 5.0 LTS and Ubuntu 22.04 LTS being launched. Both of these have brought a number of great new features for developers and enthusiasts of the Ubuntu ecosystem. One such interesting new feature is the multi-user setup in LXD, significantly improving the development experience and security when using a shared development environment or workstation.
Untrusted users shouldn’t have admin privileges
While LXD runs unprivileged containers by default, the users interacting with LXD still indirectly have full root access through various other options (device passthrough, privileged containers, custom ID maps…). This can make any user interacting with LXD have full local administrator privileges. This is also the case with other virtualization and containerisation tools, such as Docker and Libvirt. Having administrative privileges is not an issue on your own laptop or a home server, but it can cause problems when it comes to a shared development environment.
Over the years, LXD has included several features enabling users to safely share an LXD server or a cluster. Some of these features are remote authentication, role-based access control, and projects – all providing ways to limit specific users to a subset of LXD features. This has significantly improved security, but we wanted to further enhance the experience as well as make it simpler and easier to set up.
LXD multi-user feature
With the new release, LXD introduced a new user daemon which enables users to have two levels of interactions with LXD. As before, the administrators have complete LXD access, whereas other users can easily be segmented into a group with restricted access. The users belonging to the non-administrator group get automatically generated LXD projects, where they can run their own system containers and virtual machines isolated from anyone else’s instances and sufficiently restricted to prevent privilege escalation. LXD will now reject untrusted users trying to create privileged containers, pass in paths outside of their home directory or do any device passthrough other than GPUs.
How to set this up in LXD?
The process for setting this up is fairly straightforward.
Install LXD and initiate the daemon:
snap install lxd
snap set lxd daemon.user.group=users
Once this is done, any user in the users group will be allowed to interact with LXD despite not being in the all-powerful administrator lxd group.
The first time one such user interacts with LXD, they will automatically get their own restricted project, allowing them to launch containers or virtual machines instantly. The best part is that new users don’t need any installation, or configuration needing any kind of elevated privileges.
If several users are using the same workstation or a server, they will each only see and interact with their own personal project, without seeing the others. Of course, the administrator, part of the lxd group, would be able to see everything running on the system.
Where can I learn more?
For more details and a demo of the new feature, watch the video below. You can check out this discourse discussion where you can also find out how to move your existing LXD instances to a new less-privileged instance.
If you are curious about what else is new in LXD 5.0, read about it here.