<div dir="ltr">Hello all,<div><br></div><div>I am attempting to run a custom created unprivileged container on ubuntu 16.04. It is started from the root user using lxc-start and is configured with lxc.id_map to assign unprivileged UID/GID for users.</div><div><br></div><div>The root file system I am trying to use is squashfs, and it has been created with UID/GID starting at 0. The user and group ownership of files within the squashfs is not modifiable due to squashfs being read only.</div><div><br></div><div>I am using a pre-start hook to mount the squashfs in a location that is accessible by the unprivileged users in lxc.idmap. Everything seems to work properly at this point.</div><div><br></div><div>When I attach to the container after starting, all the files are owned by 65534:65534. When I inspect on the host, they are all owned by UID/GID 0. This isn't a problem for anything running as root in the container of course, but if I tried to run something in the container as another user, I will have problems.</div><div><br></div><div>My question is: How can I correct this? Does anyone know what causes it? Is there an alternate way of mounting the rootfs so that the ownership of the files makes sense in the container?</div><div><br></div><div>My config:</div><div><br></div><div><div>lxc.network.type = veth</div><div>lxc.network.link = lxcbr0</div><div>lxc.network.flags = up</div><div>lxc.network.ipv4 = <a href="http://10.0.3.2/24">10.0.3.2/24</a></div><div>lxc.network.hwaddr = 00:16:3e:xx:xx:xx</div><div>lxc.rootfs =/var/lib/lxc/lxc1/rootfs</div><div>lxc.haltsignal = SIGUSR1</div><div>lxc.utsname = lxc1</div><div>lxc.tty = 1</div><div>lxc.pts = 1</div><div>lxc.id_map = u 0 100000 10000</div><div>lxc.id_map = g 0 100000 10000</div><div>lxc.cgroup.cpuset.cpus = 0</div><div>lxc.cgroup.cpu.shares = 179</div><div>lxc.cgroup.memory.limit_in_bytes = 25600000</div><div>lxc.cgroup.devices.deny = a</div><div>lxc.cgroup.devices.allow = c 1:3 rw</div><div>lxc.cgroup.devices.allow = c 1:8 r</div><div>lxc.cgroup.devices.allow = c 1:9 r</div><div>lxc.cap.keep = none</div><div>lxc.mount.entry = tmpfs /var/lib/lxc/lxc1/rootfs/tmp tmpfs nodev,nosuid,size=3M 0 0</div><div>lxc.mount.auto = proc:mixed</div><div>lxc.hook.pre-start = /usr/share/lxc/hooks/mount</div><div>lxc.aa_profile = unconfined</div></div><div><br></div><div>File ownership after attaching:</div><div><br></div><div><div>root@user-VirtualBox:/var/lib/lxc/lxc1# lxc-attach -n lxc1</div><div>/ # ls -la</div><div>total 2</div><div>drwxrwxr-x 16 65534 65534 261 Jul 5 19:25 .</div><div>drwxrwxr-x 16 65534 65534 261 Jul 5 19:25 ..</div><div>drwxr-xr-x 2 65534 65534 980 Jul 6 16:09 bin</div><div>drwxr-xr-x 4 root root 360 Jul 6 18:22 dev</div><div>drwxr-xr-x 10 65534 65534 406 Jul 6 16:09 etc</div><div>drwxr-xr-x 2 65534 65534 737 Jul 6 16:09 lib</div><div>lrwxrwxrwx 1 65534 65534 3 Jul 6 16:48 lib32 -> lib</div><div>lrwxrwxrwx 1 65534 65534 11 Jul 6 16:48 linuxrc -> bin/busybox</div><div>drwxr-xr-x 2 65534 65534 3 Jan 29 14:00 media</div><div>drwxr-xr-x 2 65534 65534 3 Jan 29 14:00 mnt</div><div>drwxr-xr-x 2 65534 65534 3 Jan 29 14:00 opt</div><div>dr-xr-xr-x 222 65534 65534 0 Jul 6 18:22 proc</div><div>drwx------ 2 65534 65534 3 Jan 29 14:13 root</div><div>lrwxrwxrwx 1 65534 65534 3 Jul 6 16:48 run -> tmp</div><div>drwxr-xr-x 2 65534 65534 963 Jul 6 16:09 sbin</div><div>drwxr-xr-x 2 65534 65534 3 Jan 29 14:00 sys</div><div>drwxrwxrwt 2 65534 65534 3 Jan 29 14:00 tmp</div><div>drwxr-xr-x 7 65534 65534 102 Jul 5 16:51 usr</div><div>drwxr-xr-x 5 65534 65534 121 Jul 6 16:09 var</div><div>-rw-r--r-- 1 65534 65534 1266 Jul 6 16:09 version.platform</div></div><div><br></div><div><br></div><div><br></div><div><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div style="text-align:left"><div style="text-align:left"><div style="font-size:small">Judd Meinders<br></div><div style="font-size:small"><br></div></div></div></div></div></div>
</div></div>