[lxc-users] ID mapping blues (was: Does lxc-execute work with unprivileged containers?)

Serge Hallyn serge.hallyn at ubuntu.com
Thu Feb 26 20:01:58 UTC 2015 

Quoting Patrick Toomey (patrick.toomey at github.com):
> >  If you want the container to have access to your host uid 1000's
> files, then add a second mapping,
> 
> Yup. this is what I eventually figured out. Is there a way to get
> lxc-execute to not exec the passed in executable as uid 0? This is all just
> a total proof of concept, but I was aiming to:
> 
> * Map some low privileged user with outside uid (1000) to inside uid (1000)
> * Leave all other uids unmapped
> * Have the passed in executable execute as uid 1000 inside the container
> 
> Here is my current config:
> 
>   cat default.conf
>     lxc.id_map = u 1000 1000 1
>     lxc.id_map = u 0 100000 1
>     lxc.id_map = g 1000 1000 1
>     lxc.id_map = g 0 100000 1
> 
> I was forced to map inside uid 0 or I get the following error when I run
> lxc-execute:
>   lxc-execute: cgmanager.c: chown_cgroup_wrapper: 424 Invalid argument -
> Failed to setgid to 0
>   lxc-execute: cgmanager.c: chown_cgroup_wrapper: 426 Invalid argument -
> Failed to setuid to 0
> 
> So, with the above config I do successfully launch bash, but it seems as
> though lxc.init always does that as uid 0:

Hm, yes, because 'lxc-execute' starts the container with "lxc-init" as
the pid 1, which then executes the program you requested.  You could

1. do something like lxc-execute -- sudo --user \#1000 bash

2. actually start the full container using lxc-start, then ssh in as your
user.

>   lxc-execute -n blah99 -f test.conf --lxcpath=/home/my_user/containers --
> bash
>   lxc: cgmanager.c: lxc_cgmanager_escape: 329 call to
> cgmanager_move_pid_abs_sync(name=systemd) failed: Escape request from
> different namespace requires a proxy
>   bash: /root/.bashrc: Permission denied
>   root at myhost:/home/my_user#
> 
> So, uid 0 is mapped to outside uid 100000 and uid 1000 is mapped to inside
> uid 1000, but I'd like to have bash itself launch as uid 1000. But, it
> seems like lxc-execute currently forces a switch to uid 0 in the
> container. I'm guessing executing the spawned process as the original
> parent uid is not possible? In theory I could just map inside uid 0 to
> outside uid 1000 get the effective permissions I'd be looking for. But, you
> get weird side effects like the "bash: /root/.bashrc: Permission denied"
> since bash will believe that /root is the user's home directory.
> 
> As an aside, no matter what I do I always get:
>   "lxc: cgmanager.c: lxc_cgmanager_escape: 329 call to
> cgmanager_move_pid_abs_sync(name=systemd) failed: Escape request from
> different namespace requires a proxy" error."

Hm, are you doing this nested, i.e. from inside a container?  For some
reason you are in a network namespace different from cgmanager's.  You
can confirm this by doing

	ls -li /proc/self/ns/pid
	ls -li /proc/`pidof cgmanager`/ns/pid

> The above error doesn't seem to affect the ability to spawn the child
> process/container, but I was not sure what was causing it and/or what side
> effects may occur because of it.

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list