<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Calibri,Arial,Helvetica,sans-serif;" dir="ltr">
<p></p>
<div>I have been trying to create an unprivileged container for the past couple days with no success. After having read the entire Internet, I'm about to give up and just create a privileged container. But maybe you all can figure out what I am doing wrong.<br>
<br>
I created a user 'zrw' on the host and am trying to map the uid and guid from the container to this user. I have created the container but have otherwise not touched it. My end goal is to install Samba in the container and mount a directory on the host to share
out.<br>
<br>
When I create the user, /etc/subuid and /etc/subgid automatically have the following added:<br>
root@server:/# cat /etc/sub* | grep zrw<br>
<div>zrw:689824:65536<br>
zrw:689824:65536<br>
<br>
but "id -u zrw" and "id -g zrw" both return 1000. Why would 689824 automatically be put in the /etc/sub* files? From all of my reading I thought the uid and guid in the /etc/sub* files should be the same as the user and group ids?<br>
I changed the subuid and subgid files to<br>
zrw:689824:65536<br>
zrw:1000:1<br>
<br>
I then put this mapping in the container's .conf file (along with many other different variations, like id_map = u 0 689824 65536)<br>
<div>lxc.id_map = u 0 100000 1000<br>
lxc.id_map = g 0 100000 1000<br>
lxc.id_map = u 1000 1000 1<br>
lxc.id_map = g 1000 1000 1<br>
lxc.id_map = u 1001 100000 64535<br>
lxc.id_map = g 1001 100000 64535</div>
</div>
<br>
When I start the container I get the following output:<br>
<br>
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1321 Path "/sys/fs/cgroup/systemd//lxc/100" already existed.<br>
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1385 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/100: No such file or directory<br>
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1321 Path "/sys/fs/cgroup/systemd//lxc/100-1" already existed.<br>
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1385 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/100-1: No such file or directory<br>
... same output as above repeating up to systemd//lxc/100-33<br>
<br>
<b><span>
<div>newuidmap: uid range [0-1000) -> [689824-690824) not allowed<br>
</div>
</span></b>lxc-start: start.c: lxc_spawn: 1164 Failed to set up id mapping.<br>
lxc-start: start.c: __lxc_start: 1357 Failed to spawn container "100".<br>
<span><span>newuidmap: uid range [0-1000) -> [689824-690824) not allowed</span><b><span></span></b></span><br>
lxc-start: conf.c: userns_exec_1: 4379 Error setting up child mappings<br>
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1276 Error destroying /sys/fs/cgroup/systemd//lxc/100-20<br>
<span></span><span>newuidmap: uid range [0-1000) -> [689824-690824) not allowed</span><br>
lxc-start: conf.c: userns_exec_1: 4379 Error setting up child mappings<br>
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1276 Error destroying /sys/fs/cgroup/cpuset//lxc/100-20<br>
lxc-start: conf.c: userns_exec_1: 4379 Error setting up child mappings<br>
... same output as above repeating up to 100-33 for cgroup/cpu, cgroup/blkio, cgroup/memory, cgroup/devices, etc.<br>
<br>
<span>lxc-start: tools/lxc_start.c: main: 365 The container failed to start.<br>
<br>
<br>
You can tell how many tries I've made by the fact that it creates a new 100-<incremented number here> every time I try to start the container.<br>
Every variation of mapping I have tried always ends with uid range not allowed.<br>
<br>
On another note, if I delete the container and then try to rm -rf /sys/fs/cgroup/pids/lxc/100* I get "Operation not permitted" on a ton of files in those directories, and consequently the directories are not deleted. To "solve" that a previous time, I reinstalled
the operating system. From other reading it does not appear there are any attributes set on these files and lsattr gives "<span>lsattr: Inappropriate ioctl for device While reading flags on ./cgroup.procs</span>" for every file. Are these files created with
a special permission when creating the container, the container fails to start, and somehow the error handling code can't delete them so I'm stuck with them forever? (Unless I pull the nuclear option of course.)<br>
<br>
I would appreciate any help!<br>
</span></div>
<p></p>
</div>
</body>
</html>