[lxc-devel] [PATCH 1/1] print a helpful message if creating unpriv container with no idmap

Stéphane Graber stgraber at ubuntu.com
Thu Jul 31 18:14:43 UTC 2014 

On Tue, Jul 29, 2014 at 06:26:29PM +0000, Serge Hallyn wrote:
> This gives me:
> 
> ubuntu at c-t1:~$ lxc-create -t download -n u1
> lxc_container: No mapping for container root
> lxc_container: Error chowning /home/ubuntu/.local/share/lxc/u1/rootfs to container root
> lxc_container: You must either run as root, or define uid mappings
> lxc_container: To pass uid mappings to lxc-create, you could create
> lxc_container: ~/.config/lxc/default.conf:
> lxc_container: lxc.include = /etc/lxc/default.conf
> lxc_container: lxc.id_map = u 0 100000 65536
> lxc_container: lxc.id_map = g 0 100000 65536
> lxc_container: Error creating backing store type (none) for u1
> lxc_container: Error creating container u1
> 
> when I create a container without having an id mapping defined.
> 
> Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>

Acked-by: Stéphane Graber <stgraber at ubuntu.com>

> ---
>  src/lxc/conf.c           | 147 +++++++++++++++++++++++++++++++++++++++++++++++
>  src/lxc/conf.h           |   5 ++
>  src/lxc/lxc_usernsexec.c |   2 -
>  src/lxc/lxccontainer.c   |   1 +
>  4 files changed, 153 insertions(+), 2 deletions(-)
> 
> diff --git a/src/lxc/conf.c b/src/lxc/conf.c
> index 052db98..9bd5437 100644
> --- a/src/lxc/conf.c
> +++ b/src/lxc/conf.c
> @@ -32,6 +32,9 @@
>  #include <inttypes.h>
>  #include <sys/wait.h>
>  #include <sys/syscall.h>
> +#include <sys/types.h>
> +#include <pwd.h>
> +#include <grp.h>
>  #include <time.h>
>  
>  #if HAVE_PTY_H
> @@ -4655,3 +4658,147 @@ err:
>  	close(p[1]);
>  	return -1;
>  }
> +
> +static char* getuname(void)
> +{
> +	struct passwd pwd, *result;
> +	char *buf, *ret = NULL;
> +	size_t bufsize;
> +	int s;
> +
> +	bufsize = sysconf(_SC_GETPW_R_SIZE_MAX);
> +	if (bufsize == -1)
> +		bufsize = 16384;
> +
> +	buf = malloc(bufsize);
> +	if (!buf)
> +		return NULL;
> +	
> +	s = getpwuid_r(geteuid(), &pwd, buf, bufsize, &result);
> +	if (s || result == NULL)
> +		goto out;
> +
> +	ret = strdup(pwd.pw_name);
> +out:
> +	free(buf);
> +	return ret;
> +}
> +
> +static char *getgname(void)
> +{
> +	struct group grp, *result;
> +	char *buf, *ret = NULL;
> +	size_t bufsize;
> +	int s;
> +
> +	bufsize = sysconf(_SC_GETGR_R_SIZE_MAX);
> +	if (bufsize == -1)
> +		bufsize = 16384;
> +
> +	buf = malloc(bufsize);
> +	if (!buf)
> +		return NULL;
> +	
> +	s = getgrgid_r(geteuid(), &grp, buf, bufsize, &result);
> +	if (s || result == NULL)
> +		goto out;
> +
> +	ret = strdup(grp.gr_name);
> +out:
> +	free(buf);
> +	return ret;
> +}
> +
> +void suggest_default_idmap(void)
> +{
> +	FILE *f;
> +	unsigned int uid = 0, urange = 0, gid = 0, grange = 0;
> +	char *line = NULL;
> +	char *uname, *gname;
> +	size_t len = 0;
> +
> +	if (!(uname = getuname()))
> +		return;
> +
> +	if (!(gname = getgname())) {
> +		free(uname);
> +		return;
> +	}
> +
> +	f = fopen(subuidfile, "r");
> +	if (!f) {
> +		ERROR("Your system is not configured with subuids");
> +		free(gname);
> +		free(uname);
> +		return;
> +	}
> +	while (getline(&line, &len, f) != -1) {
> +		char *p = strchr(line, ':'), *p2;
> +		if (*line == '#')
> +			continue;
> +		if (!p)
> +			continue;
> +		*p = '\0';
> +		p++;
> +		if (strcmp(line, uname))
> +			continue;
> +		p2 = strchr(p, ':');
> +		if (!p2)
> +			continue;
> +		*p2 = '\0';
> +		p2++;
> +		if (!*p2)
> +			continue;
> +		uid = atoi(p);
> +		urange = atoi(p2);
> +	}
> +	fclose(f);
> +
> +	f = fopen(subuidfile, "r");
> +	if (!f) {
> +		ERROR("Your system is not configured with subgids");
> +		free(gname);
> +		free(uname);
> +		return;
> +	}
> +	while (getline(&line, &len, f) != -1) {
> +		char *p = strchr(line, ':'), *p2;
> +		if (*line == '#')
> +			continue;
> +		if (!p)
> +			continue;
> +		*p = '\0';
> +		p++;
> +		if (strcmp(line, uname))
> +			continue;
> +		p2 = strchr(p, ':');
> +		if (!p2)
> +			continue;
> +		*p2 = '\0';
> +		p2++;
> +		if (!*p2)
> +			continue;
> +		gid = atoi(p);
> +		grange = atoi(p2);
> +	}
> +	fclose(f);
> +
> +	if (line)
> +		free(line);
> +
> +	if (!urange || !grange) {
> +		ERROR("You do not have subuids or subgids allocated");
> +		ERROR("Unprivileged containers require subuids and subgids");
> +		return;
> +	}
> +
> +	ERROR("You must either run as root, or define uid mappings");
> +	ERROR("To pass uid mappings to lxc-create, you could create");
> +	ERROR("~/.config/lxc/default.conf:");
> +	ERROR("lxc.include = %s", LXC_DEFAULT_CONFIG);
> +	ERROR("lxc.id_map = u 0 %u %u", uid, urange);
> +	ERROR("lxc.id_map = g 0 %u %u", gid, grange);
> +
> +	free(gname);
> +	free(uname);
> +}
> diff --git a/src/lxc/conf.h b/src/lxc/conf.h
> index 3527c44..b540cce 100644
> --- a/src/lxc/conf.h
> +++ b/src/lxc/conf.h
> @@ -38,6 +38,10 @@
>  typedef void * scmp_filter_ctx;
>  #endif
>  
> +/* worth moving to configure.ac? */
> +#define subuidfile "/etc/subuid"
> +#define subgidfile "/etc/subgid"
> +
>  enum {
>  	LXC_NET_EMPTY,
>  	LXC_NET_VETH,
> @@ -400,4 +404,5 @@ extern int userns_exec_1(struct lxc_conf *conf, int (*fn)(void *), void *data);
>  extern int parse_mntopts(const char *mntopts, unsigned long *mntflags,
>  			 char **mntdata);
>  extern void tmp_proc_unmount(struct lxc_conf *lxc_conf);
> +extern void suggest_default_idmap(void);
>  #endif
> diff --git a/src/lxc/lxc_usernsexec.c b/src/lxc/lxc_usernsexec.c
> index 732a74a..3c1fec5 100644
> --- a/src/lxc/lxc_usernsexec.c
> +++ b/src/lxc/lxc_usernsexec.c
> @@ -250,8 +250,6 @@ static int read_default_map(char *fnam, int which, char *username)
>  	return 0;
>  }
>  
> -#define subuidfile "/etc/subuid"
> -#define subgidfile "/etc/subgid"
>  static int find_default_map(void)
>  {
>  	struct passwd *p = getpwuid(getuid());
> diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
> index 103309c..ca5da87 100644
> --- a/src/lxc/lxccontainer.c
> +++ b/src/lxc/lxccontainer.c
> @@ -813,6 +813,7 @@ static struct bdev *do_bdev_create(struct lxc_container *c, const char *type,
>  	if (geteuid() != 0 || (c->lxc_conf && !lxc_list_empty(&c->lxc_conf->id_map))) {
>  		if (chown_mapped_root(bdev->dest, c->lxc_conf) < 0) {
>  			ERROR("Error chowning %s to container root", bdev->dest);
> +			suggest_default_idmap();
>  			bdev_put(bdev);
>  			return NULL;
>  		}
> -- 
> 1.9.1
> 
> _______________________________________________
> lxc-devel mailing list
> lxc-devel at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-devel

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20140731/29154ac2/attachment-0001.sig>

More information about the lxc-devel mailing list