[lxc-users] move unprivileged containers - uid/gid map

Fajar A. Nugraha list at fajar.net
Mon Jul 11 06:16:34 UTC 2016


On Sun, Jul 10, 2016 at 7:20 AM, Benoit GEORGELIN - Association Web4all <
benoit.georgelin at web4all.fr> wrote:

> Hi,
>
> I'm looking to move unprivileged containers from one host to another.
> I'm actually moving pure LXC containers to a new LXD/LXC host
>
> I would like to know how should I deal with the uid/gid inside the
> container.
> The root uid/gid is différent on the new host.  But I can simply remplace
> the old UID/GUID by the new one with a find request but how should I do
> with the other users id used inside the container ?
>
>
use fuidshift from lxd-tools package



> I did not understand where the uid/gid map is done
>
> Inside the container
> root at w4a:~# id ubuntu
> uid=1000(ubuntu) gid=1000(ubuntu)
>
> Folder :
> drwxr-xr-x  2 ubuntu ubuntu  6 Jul  8 23:17 ubuntu
>
> Outside the container
> drwxr-xr-x  2 166536 166536  6 Jul  8 23:17 ubuntu
>
> How the system know about uid/gid 1000 inside container = uid/gid 166536
> outside the container
> It look like root uid = 165536 outside the container and it is defined by
> lxc configuration
> id 1000 inside the container will be root uid + user id , so 165536 + 1000
> = 166536
>
>
yes



> But what is two container have a user uid 100 ? they will both avec the
> same uid outside the container ?
>
>
short version, yes.



> About migrate the container from, how should I manage it ?
> Should I re-do the mapping myself ?  Like looking into /etc/passwd inside
> the container then use the root uid + the id found for that user in
> /etc/passwd and replace the old uid/gid by the new one ? Maybe there is
> faster/better solution ?
>
>
Don't mess with passwd/group inside the container. Just use fuidshift.



> I was looking to add an uid/gid mapping to match the container
> configuration as it was before, but it does not look to work
>
> I have this as an example in a config file dedicated for the container on
> the LXC pure host.
> # Container specific configuration
> lxc.id_map = u 0 951968 65536
> lxc.id_map = g 0 951968 65536
>
> Here is what I did to the new host :
> cat /etc/subuid
> gxd:100000:65536
> root:165536:65536
> root:951968:65536
>
>

The easiest way is to NOT change anything. lxd currently only supports one
uid range for unpriv containers. Undo your changes.



> I also tried to set lxc.raw
>
> cat << EOF |lxc config set test-ct raw.lxc -
> lxc.id_map = u 0 951968 65536
> lxc.id_map = g 0 951968 65536
> EOF
>
> But in that case, container does't start.
>
>

... which, as you've found out, doesn't work.


There's a script to convert lxc -> lxd somewhere on this list, but I
usually do things manually:
(1) create a container in lxd. Start it, stop it, then look at its uid
mapping (i.e. "which u/gid owns
/var/lib/lxd/containers/container_name/rootfs")
(2) use fuidshift with "-r" to shift your lxc container u/gid back to
privileged, using the starting u/gid value in your original lxc config
(should be 951968)
(3) use fuidshift again, but this time without "-r", to shift your lxc
container to unprivileged, using the starting u/gid value from (1)
(4) move your new lxd container's original rootfs somewhere else (or delete
it if you want), then replace it with rootfs from (3)
(5) start your lxd containers

-- 
Fajar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160711/9bb71979/attachment.html>


More information about the lxc-users mailing list