<div dir="ltr"><div class="gmail_quote"><div>Hi Xavier,</div><div>Thank you for your response.</div><div>I even tried with bigger range, but still no luck.</div><div><br></div><div>in 1st container (cont1) config, </div><div> lxc.id_map = u 0 100000 1000<br></div><div>lxc.id_map = g 0 100000 1000</div><div> &</div><div><div>and in 2nd container (cont2) config:</div><div><div>lxc.id_map = u 0 101500 1000<br></div><div>lxc.id_map = g 0 101500 1000</div></div></div><div><br></div><div> get the same error</div><div><br></div><div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 - Permission denied - Failed to get real path for "/home/oxpd/.local/share/lxc/uidranges/rootfs".</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:setup_rootfs:1220 - Failed to mount rootfs "/home/oxpd/.local/share/lxc/uidranges/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "uidranges".</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.985 ERROR lxc_start - start.c:__lxc_start:1358 - Failed to spawn container "uidranges".</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.524 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.525 ERROR lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.525 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.</p></div><div> <br></div><div>If I try something like below:</div><div><div>in 1st container (cont1) config, </div><div>lxc.id_map = u 0 100000 1000</div><div>lxc.id_map = g 0 100000 1000</div><div><br></div><div>and in 2nd container (cont2) config:</div><div><div>lxc.id_map = u 0 100000 2000<br></div><div>lxc.id_map = g 0 100000 2000</div><div><br></div><div>it works, but on the host both the containers created by my lxcuser has same userid which is 100000. Hence, it is not possible to identify each container uniquely on host machine</div><div><br></div><div>My query is that, is there any way a non-root user can create various containers and each container will have unique UserId on the host machine ??</div><br class="gmail-Apple-interchange-newline"></div>Thanks for your help,</div><div>Yasoda</div><div><br>From: Xavier Gendre <<a href="mailto:gendre.reivax@gmail.com" target="_blank">gendre.reivax@gmail.com</a>><br>To: <a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>Cc: <br>Bcc: <br>Date: Mon, 20 Aug 2018 09:24:31 +0200<br>Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??<br>Hi Yasoda,<br><br>only 10 ids is a bit short for a container. You should increase this <br>number to cover at least the system ids 0-999. Depending on the <br>distribution you run in your containers, you can be sharper and only <br>involve the needed ids but they all have to be covered.<br><br>Xavier <br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_quote"><div dir="ltr">On Fri, Aug 17, 2018 at 9:34 AM Yasoda Padala <<a href="mailto:padala.yasoda@gmail.com" target="_blank">padala.yasoda@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi All,<div>I have created non-root user on my Ubuntu (16.04) machine who creates unprivileged LXC containers.</div><div>My user's uid/gid on the host is 1000.<br></div><div>and below are the entries in /etc/subuid & /etc/subgid files</div><div><br></div><div>/etc/subuid:</div><div>lxcuser:100000 65536</div><div><br></div><div>/etc/subgid:</div><div>lxcuser:100000:65536</div><div><br></div><div>My requirement is for each LXC unprivileged container, I should be able to pick a UID/GID range. <br></div><div>For instance, I have created two LXC containers cont1 and cont2</div><div>in cont1 config, I have added the below id mappings</div><div>lxc.id_map = u 0 100000 10</div><div>lxc.id_map = g 0 100000 10</div><div><br></div><div>and in con2 config file, I have added the below id mappings</div><div><div>lxc.id_map = u 0 100020 10</div><div>lxc.id_map = g 0 100020 10</div></div><div><br></div><div>cont1 starts successfullly but cont2 gives the below error while starting the container</div><div><br></div><div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">lxc-start 20180817035100.984 ERROR
lxc_conf - conf.c:mount_rootfs:798 - Permission denied - Failed to get real
path for "/home/oxpd/.local/share/lxc/uidranges/rootfs".</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984
ERROR lxc_conf - conf.c:setup_rootfs:1220 - Failed to mount
rootfs "/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984
ERROR lxc_conf - conf.c:do_rootfs_setup:3899 - failed to
setup rootfs for 'uidranges'</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984
ERROR lxc_conf - conf.c:lxc_setup:3981 - Error setting up
rootfs mount after spawn</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984
ERROR lxc_start - start.c:do_start:811 - Failed to setup
container "uidranges".</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984
ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in
another process (expected sequence number 3)</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.985
ERROR lxc_start - start.c:__lxc_start:1358 - Failed to spawn
container "uidranges".</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.524
ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The
container failed to start.</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.525
ERROR lxc_start_ui - tools/lxc_start.c:main:368 - To get more
details, run the container in foreground mode.</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.525
ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional
information can be obtained by setting the --logfile and --logpriority options.</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">My understanding is lxcuser who has been assigned with id range of 100000-165536 can assign a distinct subuid/gid ranges for each container spawned by lxcuser.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">is my understanding correct ?? I am not finding any reference documents for custom user mappings for LXC unprivileged containers</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Any help on this is highly appreciated.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Thanks & Regards,</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Yasoda</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p></div><div><br></div></div></blockquote></div></blockquote></div></div>