[lxc-users] ID mapping blues (was: Does lxc-execute work with unprivileged containers?)

Patrick Toomey patrick.toomey at github.com
Thu Feb 26 17:23:03 UTC 2015 

>  If you want the container to have access to your host uid 1000's
files, then add a second mapping,

Yup. this is what I eventually figured out. Is there a way to get
lxc-execute to not exec the passed in executable as uid 0? This is all just
a total proof of concept, but I was aiming to:

* Map some low privileged user with outside uid (1000) to inside uid (1000)
* Leave all other uids unmapped
* Have the passed in executable execute as uid 1000 inside the container

Here is my current config:

  cat default.conf
    lxc.id_map = u 1000 1000 1
    lxc.id_map = u 0 100000 1
    lxc.id_map = g 1000 1000 1
    lxc.id_map = g 0 100000 1

I was forced to map inside uid 0 or I get the following error when I run
lxc-execute:
  lxc-execute: cgmanager.c: chown_cgroup_wrapper: 424 Invalid argument -
Failed to setgid to 0
  lxc-execute: cgmanager.c: chown_cgroup_wrapper: 426 Invalid argument -
Failed to setuid to 0

So, with the above config I do successfully launch bash, but it seems as
though lxc.init always does that as uid 0:

  lxc-execute -n blah99 -f test.conf --lxcpath=/home/my_user/containers --
bash
  lxc: cgmanager.c: lxc_cgmanager_escape: 329 call to
cgmanager_move_pid_abs_sync(name=systemd) failed: Escape request from
different namespace requires a proxy
  bash: /root/.bashrc: Permission denied
  root at myhost:/home/my_user#

So, uid 0 is mapped to outside uid 100000 and uid 1000 is mapped to inside
uid 1000, but I'd like to have bash itself launch as uid 1000. But, it
seems like lxc-execute currently forces a switch to uid 0 in the
container. I'm guessing executing the spawned process as the original
parent uid is not possible? In theory I could just map inside uid 0 to
outside uid 1000 get the effective permissions I'd be looking for. But, you
get weird side effects like the "bash: /root/.bashrc: Permission denied"
since bash will believe that /root is the user's home directory.

As an aside, no matter what I do I always get:
  "lxc: cgmanager.c: lxc_cgmanager_escape: 329 call to
cgmanager_move_pid_abs_sync(name=systemd) failed: Escape request from
different namespace requires a proxy" error."

The above error doesn't seem to affect the ability to spawn the child
process/container, but I was not sure what was causing it and/or what side
effects may occur because of it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20150226/c47f9278/attachment.html>

More information about the lxc-users mailing list