Terraform user with privileges to enable e.g. `keyctl`?


Sep 30, 2020

I've tried setting up my Proxmox homelab using Terraform for some time now, and while I have something I am quite happy with (overly complicated, that is), I have never been able to figure out how to set different "features" for newly spawned LXCs. I have created a dedicated Terraform user which currently has these privileges:

VM.Allocate VM.Clone VM.Config.CDROM VM.Config.CPU VM.Config.Cloudinit VM.Config.Disk VM.Config.HWType VM.Config.Memory VM.Config.Network VM.Config.Options VM.Monitor VM.Audit VM.PowerMgmt Datastore.AllocateSpace Datastore.Audit VM.Console

But it seems like, at least, one privilege is missing in order to enable features such as "nesting" and "keyctl" from this user. What other permission(s) do I need to add, preferably some that keeps the terraform user from gaining full administrative powers (slightly defeats the purpose)?

Thanks in advance!
Thanks for that! I posted a question there as well :)

Even so, do you know -- or know where to look, for that matter -- which privileges are required to affect features of LXC containers? Regardless of if I'm using Terraform or not.
Getting back to my own question, I recently found that `keyctl` requires `root@pam` access in order to be enabled. I guess this in turn matches some very high privileges?

Would it be possible to put the LXC features behind a separate, specific privilege that could be assigned to, e.g., a Terraform (service) account? Just to be clear, this is neither a Terraform nor a Terraform provider specific question, but a Proxmox privileges separation request.