Allow other user groups to access MicroK8s

[barrettj12]

Summary

Currently, only the microk8s user group (for classic MicroK8s snap) or snap_microk8s user group (for strictly confined) are able to access MicroK8s. I would like a config option to allow an existing group (e.g. adm) to access MicroK8s.

LXD has the following option to do this:

sudo snap set lxd daemon.group=adm
sudo snap restart lxd

Why is this important?

We use MicroK8s in our GitHub Actions for Juju. We have tests that e.g. bootstrap/deploy charms to MicroK8s. The recommended way to set the user permissions is to add the current user to the microk8s group via newgrp microk8s. However, since newgrp opens a subshell with the new group permissions, it does not work and cannot be used in automated scripting e.g. GitHub Actions.

The only workaround we can find is using sg microk8s '...' everywhere. This means we can't use common code for bootstrapping/deploying/testing on LXD and MicroK8s - everything has to be duplicated.

See also balchua/microk8s-actions#13

Are you interested in contributing to this feature?

No

[ktsakalozos]

Thank you for this feature request. We will try to make some time to work on it.

[neoaggelos]

Hi @barrettj12

I see that the feature request is not so much about having MicroK8s use any arbitrary group, but rather to make it easier to use from CI. Perhaps using a group alias before installing MicroK8s would solve your problem:

# create microk8s as a group alias for group with id 1000 (the default user id)
sudo groupadd --non-unique --gid 1000 microk8s

# alternatives you may consider
sudo groupadd --non-unique --gid "$(getent group adm | cut -f3 -d:)" microk8s

Perhaps an option would be to do something like this:

# since microk8s strict uses `snap_microk8s` instead, you could also just create both
sudo groupadd --non-unique --gid "$(getent group adm | cut -f3 -d:)" microk8s
sudo groupadd --non-unique --gid "$(getent group adm | cut -f3 -d:)" snap_microk8s

sudo snap install microk8s --channel=$channel [--classic]

# wait for status, retry call in case groups are not setup just yet
while ! microk8s status --wait-ready; do
  echo waiting for microk8s
  sleep 2
done

[balchua]

I tried the steps above, before installing microk8s.
It works on classic mode but gives the following error on strict mode.

Any idea what this error mean?

error: cannot perform the following tasks:
- Mount snap "microk8s" (4249) (cannot ensure users for snap "microk8s" required system username "snap_microk8s": cannot add user/group "snap_microk8s": group exists and user does not)

Any help will be great. Thanks!

[neoaggelos]

From the side of the snap, we create the microk8s (or snap_microk8s) group if it does not already exist the host.

It looks like the error message is coming from snapd, which in the case of strict snaps has a hard requirement on a user and group existing. Can you see if creating the snap_microk8s user before installing helps?

[balchua]

I tried creating the snap_microk8s user beforehand. But it complained about uid not being the same.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.