<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>I am having a bit of difficulty with the user ID
namespacing/mapping used by lxd.</p>
<p>Firstly, let me see if I understand this properly. Reading
<a class="moz-txt-link-freetext" href="https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/">https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/</a>
it seems each host user is allocated one mapped range of uids. For
example:<br>
</p>
<p>$ cat /etc/subuid<br>
lxd:100000:65536<br>
root:100000:65536</p>
Here, both these users get the same mapped range. Furthermore,
presumably every container launched by those users has the *same*
mapped range; that is, root in container foo and root in container
bar both map to 100000 on the host, correct? That sounds like it
doesn't give proper isolation from one container to another, but
I'll assume that's not a problem in practice.<br>
<br>
Here's the actual issue I'm dealing with.<br>
<p>I am trying to deploy FreeIPA as a way to do centralised
authentication for servers - and of course, with lots of lxd
containers, central authentication would be extremely helpful!<br>
</p>
The trouble is that FreeIPA allocates very high UIDs and GIDs by
default. Example from a fresh install of FreeIPA inside a
centos/7/amd64 container:<br>
<br>
[root@test ~]# id admin<br>
uid=1134400000(admin) gid=1134400000(admins)
groups=1134400000(admins)<br>
<p>[root@test ~]# getent passwd admin<br>
admin:*:1134400000:1134400000:Administrator:/home/admin:/bin/bash<br>
</p>
<p>But this id isn't usable within the container, as I find if I try
to ssh to it:</p>
<p>Oct 14 11:01:23 test sshd[3896]: Authorized to admin, krb5
principal <a class="moz-txt-link-abbreviated" href="mailto:admin@IPA.EXAMPLE.COM">admin@IPA.EXAMPLE.COM</a> (ssh_gssapi_krb5_cmdok)<br>
Oct 14 11:01:23 test sshd[3896]: Accepted gssapi-with-mic for
admin from 10.15.6.253 port 49800 ssh2<br>
<b>Oct 14 11:01:23 test sshd[3896]: fatal: initgroups: admin:
Invalid argument</b></p>
<p>Or even just use su within the container:</p>
<p>[root@test ~]# su - admin<br>
<b>su: cannot set groups: Invalid argument</b></p>
So I'm wondering about the best way to deal with this.<br>
<br>
(1) I can try to configure FreeIPA to allocate uids in the "low"
range, say 2000+.<br>
<br>
(2) I can try to do get lxd to map a larger range, for example map
1134400000 upwards to 2134400000 on the host. But are there problems
in that approach? Is there a reason why the default lxd config only
maps 64K worth of uids?<br>
<br>
Plus, I imagine this means all existing containers will need their
filesystems changed because of the new mapped IDs?<br>
<br>
# ls -l /var/lib/lxd/containers/ldap-1/rootfs/sbin/suexec<br>
-r-x--x--- 1 100000 100048 15352 Jul 18 15:31
/var/lib/lxd/containers/ldap-1/rootfs/sbin/suexec<br>
<br>
Thanks,<br>
<br>
Brian.<br>
</body>
</html>