<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<br>
<br>
<div class="moz-cite-prefix">On 23/07/16 17:49, Christoph Willing
wrote:<br>
</div>
<blockquote
cite="mid:d0bcbb30-1008-04d1-5a28-d6501a6ffba0@iinet.net.au"
type="cite">I'm following the guide to run X apps in a container
at:
<br>
<a class="moz-txt-link-freetext" href="https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/">https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/</a>
<br>
<br>
As a starting point, I have a normal unprivileged container
running perfectly. However when I change the id_map configuration
to look like:
<br>
lxc.id_map = u 0 100000 1000
<br>
lxc.id_map = g 0 100000 1000
<br>
lxc.id_map = u 1000 1000 1
<br>
lxc.id_map = g 1000 1000 1
<br>
lxc.id_map = u 1001 101001 64535
<br>
lxc.id_map = g 1001 101001 64535
<br>
<br>
the container fails to start, claiming:
<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:chris@d6:~/.local/share/lxc$">chris@d6:~/.local/share/lxc$</a> lxc-start -n x11-test-x86_64 -F
<br>
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
<br>
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
<br>
...
<br>
...
<br>
<br>
Sure enough, if I comment out the lines:
<br>
lxc.id_map = u 1000 1000 1
<br>
lxc.id_map = g 1000 1000 1
<br>
<br>
the container runs again - but it's that particular mapping that
is needed in this case.
<br>
<br>
I set up a log file to priority DEBUG but no extra clues there -
it just says the same thing.
<br>
<br>
I'm using:
<br>
lxc-2.0.1
<br>
cgmanager-0.39
<br>
with container config file attached.
<br>
<br>
Can anyone shed light on this problem please?
<br>
<br>
chris
<br>
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
lxc-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:lxc-users@lists.linuxcontainers.org">lxc-users@lists.linuxcontainers.org</a>
<a class="moz-txt-link-freetext" href="http://lists.linuxcontainers.org/listinfo/lxc-users">http://lists.linuxcontainers.org/listinfo/lxc-users</a></pre>
</blockquote>
umm .. I have exactly that setup (user and group id mapping) and it
works for me. It's what I use for desktop integration. Did you
change the /etc/sub* files as per the following ?<br>
<a class="moz-txt-link-freetext" href="https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/">https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/</a><br>
<br>
I promise it works here. This is the config for one of my most used
containers<br>
<blockquote># Template used to create this container:
/usr/share/lxc/templates/lxc-download<br>
# Parameters passed to the template: -d ubuntu -r xenial -a amd64<br>
# For additional config options, please look at
lxc.container.conf(5)<br>
<br>
# Uncomment the following line to support nesting containers:<br>
#lxc.include = /usr/share/lxc/config/nesting.conf<br>
# (Be aware this has security implications)<br>
<br>
# Distribution configuration<br>
lxc.include = /usr/share/lxc/config/ubuntu.common.conf<br>
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf<br>
lxc.arch = x86_64<br>
<br>
# Container specific configuration<br>
# ------- Replaced -------#<br>
#lxc.id_map = u 0 100000 65536<br>
#lxc.id_map = g 0 100000 65536 <br>
# ------- With -------#Permission denied - <br>
lxc.id_map = u 0 100000 1000<br>
lxc.id_map = g 0 100000 1000<br>
lxc.id_map = u 1000 1000 1<br>
lxc.id_map = g 1000 1000 1<br>
lxc.id_map = u 1001 101001 64535<br>
lxc.id_map = g 1001 101001 64535<br>
# --------------------#<br>
<br>
lxc.rootfs = /mnt/....../<container-name>/rootfs<br>
lxc.rootfs.backend = dir<br>
lxc.utsname = <container-name><br>
<br>
# Network configuration<br>
lxc.network.type = veth<br>
lxc.network.link = lxcbr0<br>
lxc.network.flags = up<br>
lxc.network.hwaddr = xx:xx:xx:xx:xx:xx<br>
<br>
# =========================== My Additions
========================== #<br>
## Set resource limits<br>
lxc.cgroup.cpuset.cpus = 1-3<br>
lxc.cgroup.cpu.shares = 256<br>
lxc.cgroup.memory.limit_in_bytes = 4G<br>
lxc.cgroup.blkio.weight = 500<br>
<br>
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir<br>
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir<br>
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none
bind,optional,create=dir<br>
# lxc.mount.entry = /dev/video0 dev/video0 none
bind,optional,create=file # NO CAMERA<br>
lxc.mount.entry = /dev/fuse dev/fuse none
bind,optional,create=file<br>
<br>
#lxc.hook.pre-start =
/mnt/...../<container-name>/setup-pulse.sh<br>
lxc.hook.pre-start = /mnt/.....<container-name>/lxc-devsetup<br>
<br>
lxc.aa_profile = lxc-container-default-with-mounting<br>
## lxc.cgroup.devices.allow = typeofdevice majornumber:minornumber
rwm ... in this case /dev/sr0 (EXCLUDES /dev/sr1)<br>
lxc.cgroup.devices.allow = b 11:0 rwm<br>
## and add /dev/sr1<br>
lxc.cgroup.devices.allow = b 11:1 rwm<br>
# Fuse (user mounted filesystem facilitator), character device at
10:29 (use ls -la /dev/fuse)<br>
lxc.cgroup.devices.allow = c 10:29 rwm<br>
# ==================== End Change For Xenial
====================== #<br>
</blockquote>
<br>
And the /etc/sub* files (modified to protect the innocent ...)<br>
/etc/subuid<br>
<blockquote><me>:100000:65536<br>
<lxd>:165536:65536<br>
root:165536:65536<br>
<someone>:231072:65536<br>
root:1000:1<br>
</blockquote>
/etc/subgid<br>
<blockquote><me>:100000:65536<br>
<lxd>:165536:65536<br>
root:165536:65536<br>
<someone>:231072:65536<br>
root:1000:1<br>
</blockquote>
<br>
</body>
</html>