<div dir="ltr">Thank You Dirk for your response.<div>It was a permission issue and as you suggested corrected the permissions to have unprivileged user full access to container's rootfs and it started working.</div><div><br></div><div>Thanks again,</div><div>Yasoda<br><br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">---------- Forwarded message ----------<br>From: Yasoda Padala <<a href="mailto:padala.yasoda@gmail.com" target="_blank">padala.yasoda@gmail.com</a>><br>To: <a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>Cc: <br>Bcc: <br>Date: Tue, 21 Aug 2018 15:37:49 +0530<br>Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??<br><div dir="ltr"><div class="gmail_quote"><div>Hi Xavier,</div><div>Thank you for your response.</div><div>I even tried with bigger range, but still no luck.</div><div><br></div><div>in 1st container (cont1) config, </div><div> lxc.id_map = u 0 100000 1000<br></div><div>lxc.id_map = g 0 100000 1000</div><div> &</div><div><div>and in 2nd container (cont2) config:</div><div><div>lxc.id_map = u 0 101500 1000<br></div><div>lxc.id_map = g 0 101500 1000</div></div></div><div><br></div><div> get the same error</div><div><br></div><div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 - Permission denied - Failed to get real path for "/home/oxpd/.local/share/lxc/uidranges/rootfs".</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:setup_rootfs:1220 - Failed to mount rootfs "/home/oxpd/.local/share/lxc/uidranges/rootfs" onto "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984 ERROR lxc_start - start.c:do_start:811 - Failed to setup container "uidranges".</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984 ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in another process (expected sequence number 3)</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.985 ERROR lxc_start - start.c:__lxc_start:1358 - Failed to spawn container "uidranges".</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.524 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.525 ERROR lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.525 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.</p></div><div> <br></div><div>If I try something like below:</div><div><div>in 1st container (cont1) config, </div><div>lxc.id_map = u 0 100000 1000</div><div>lxc.id_map = g 0 100000 1000</div><div><br></div><div>and in 2nd container (cont2) config:</div><div><div>lxc.id_map = u 0 100000 2000<br></div><div>lxc.id_map = g 0 100000 2000</div><div><br></div><div>it works, but on the host both the containers created by my lxcuser has same userid which is 100000. Hence, it is not possible to identify each container uniquely on host machine</div><div><br></div><div>My query is that, is there any way a non-root user can create various containers and each container will have unique UserId on the host machine ??</div><br class="m_3154544070833032390gmail-Apple-interchange-newline"></div>Thanks for your help,</div><div>Yasoda</div><div><br>From: Xavier Gendre <<a href="mailto:gendre.reivax@gmail.com" target="_blank">gendre.reivax@gmail.com</a>><br>To: <a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>Cc: <br>Bcc: <br>Date: Mon, 20 Aug 2018 09:24:31 +0200<br>Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??<br>Hi Yasoda,<br><br>only 10 ids is a bit short for a container. You should increase this <br>number to cover at least the system ids 0-999. Depending on the <br>distribution you run in your containers, you can be sharper and only <br>involve the needed ids but they all have to be covered.<br><br>Xavier <br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_quote"><div dir="ltr">On Fri, Aug 17, 2018 at 9:34 AM Yasoda Padala <<a href="mailto:padala.yasoda@gmail.com" target="_blank">padala.yasoda@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi All,<div>I have created non-root user on my Ubuntu (16.04) machine who creates unprivileged LXC containers.</div><div>My user's uid/gid on the host is 1000.<br></div><div>and below are the entries in /etc/subuid & /etc/subgid files</div><div><br></div><div>/etc/subuid:</div><div>lxcuser:100000 65536</div><div><br></div><div>/etc/subgid:</div><div>lxcuser:100000:65536</div><div><br></div><div>My requirement is for each LXC unprivileged container, I should be able to pick a UID/GID range. <br></div><div>For instance, I have created two LXC containers cont1 and cont2</div><div>in cont1 config, I have added the below id mappings</div><div>lxc.id_map = u 0 100000 10</div><div>lxc.id_map = g 0 100000 10</div><div><br></div><div>and in con2 config file, I have added the below id mappings</div><div><div>lxc.id_map = u 0 100020 10</div><div>lxc.id_map = g 0 100020 10</div></div><div><br></div><div>cont1 starts successfullly but cont2 gives the below error while starting the container</div><div><br></div><div><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">lxc-start 20180817035100.984 ERROR
lxc_conf - conf.c:mount_rootfs:798 - Permission denied - Failed to get real
path for "/home/oxpd/.local/share/lxc/uidranges/rootfs".</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984
ERROR lxc_conf - conf.c:setup_rootfs:1220 - Failed to mount
rootfs "/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984
ERROR lxc_conf - conf.c:do_rootfs_setup:3899 - failed to
setup rootfs for 'uidranges'</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984
ERROR lxc_conf - conf.c:lxc_setup:3981 - Error setting up
rootfs mount after spawn</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984
ERROR lxc_start - start.c:do_start:811 - Failed to setup
container "uidranges".</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.984
ERROR lxc_sync - sync.c:__sync_wait:57 - An error occurred in
another process (expected sequence number 3)</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035100.985
ERROR lxc_start - start.c:__lxc_start:1358 - Failed to spawn
container "uidranges".</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.524
ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The
container failed to start.</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.525
ERROR lxc_start_ui - tools/lxc_start.c:main:368 - To get more
details, run the container in foreground mode.</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> lxc-start 20180817035106.525
ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional
information can be obtained by setting the --logfile and --logpriority options.</p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"> </p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">My understanding is lxcuser who has been assigned with id range of 100000-165536 can assign a distinct subuid/gid ranges for each container spawned by lxcuser.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">is my understanding correct ?? I am not finding any reference documents for custom user mappings for LXC unprivileged containers</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Any help on this is highly appreciated.</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p>
<p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Thanks & Regards,</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif">Yasoda</p><p class="MsoNormal" style="margin:0in 0in 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><br></p></div><div><br></div></div></blockquote></div></blockquote></div></div>
<br><br><br>---------- Forwarded message ----------<br>From: Dirk Geschke <<a href="mailto:dirk@lug-erding.de" target="_blank">dirk@lug-erding.de</a>><br>To: LXC users mailing-list <<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a>><br>Cc: <br>Bcc: <br>Date: Tue, 21 Aug 2018 13:39:08 +0200<br>Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??<br>Hi Yasoda,<br>
<br>
> get the same error<br>
> <br>
> lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 -<br>
> Permission denied - Failed to get real path for<br>
> "/home/oxpd/.local/share/lxc/uidranges/rootfs".<br>
<br>
can you check the directory permissions for <br>
<br>
/home/oxpd/.local/share/lxc/uidranges<br>
<br>
I think, they should own the LXC-root but the group should <br>
be yours and mode 770, the group must have full access. <br>
Otherwise the unprivileged user can't access his own <br>
container configuration.<br>
<br>
Best regards<br>
<br>
Dirk<br>
<br>
-- <br>
+----------------------------------------------------------------------+<br>
| Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |<br>
| Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |<br>
| <a href="mailto:dirk@geschke-online.de" target="_blank">dirk@geschke-online.de</a> / <a href="mailto:dirk@lug-erding.de" target="_blank">dirk@lug-erding.de</a> / <a href="mailto:kontakt@lug-erding.de" target="_blank">kontakt@lug-erding.de</a> |<br>
+----------------------------------------------------------------------+<br>
<br>
_______________________________________________<br>
lxc-users mailing list<br>
<a href="mailto:lxc-users@lists.linuxcontainers.org" target="_blank">lxc-users@lists.linuxcontainers.org</a><br>
<a href="http://lists.linuxcontainers.org/listinfo/lxc-users" rel="noreferrer" target="_blank">http://lists.linuxcontainers.org/listinfo/lxc-users</a></blockquote></div></div></div>