[lxc-users] move unprivileged containers - uid/gid map

Benoit GEORGELIN - Association Web4all benoit.georgelin at web4all.fr
Mon Jul 11 14:34:10 UTC 2016 

Hello Fajar, 

Thanks , " fuidshift" is what I was looking for :) 
It's working . I already made my own script to move it from one host (LXC) to the other one (LXD) . I guess the one that you were talking about is : https://github.com/lxc/lxd/blob/master/scripts/lxc-to-lxd 

Have a nice day 

Cordialement, 

Benoît 


De: "Fajar A. Nugraha" <list at fajar.net> 
À: "lxc-users" <lxc-users at lists.linuxcontainers.org> 
Envoyé: Lundi 11 Juillet 2016 02:16:34 
Objet: Re: [lxc-users] move unprivileged containers - uid/gid map 

On Sun, Jul 10, 2016 at 7:20 AM, Benoit GEORGELIN - Association Web4all < benoit.georgelin at web4all.fr > wrote: 



Hi, 

I'm looking to move unprivileged containers from one host to another. 
I'm actually moving pure LXC containers to a new LXD/LXC host 

I would like to know how should I deal with the uid/gid inside the container. 
The root uid/gid is différent on the new host. But I can simply remplace the old UID/GUID by the new one with a find request but how should I do with the other users id used inside the container ? 




use fuidshift from lxd-tools package 


BQ_BEGIN

I did not understand where the uid/gid map is done 

Inside the container 
root at w4a:~# id ubuntu 
uid=1000(ubuntu) gid=1000(ubuntu) 

Folder : 
drwxr-xr-x 2 ubuntu ubuntu 6 Jul 8 23:17 ubuntu 

Outside the container 
drwxr-xr-x 2 166536 166536 6 Jul 8 23:17 ubuntu 

How the system know about uid/gid 1000 inside container = uid/gid 166536 outside the container 
It look like root uid = 165536 outside the container and it is defined by lxc configuration 
id 1000 inside the container will be root uid + user id , so 165536 + 1000 = 166536 


BQ_END

yes 


BQ_BEGIN

But what is two container have a user uid 100 ? they will both avec the same uid outside the container ? 


BQ_END

short version, yes. 



BQ_BEGIN

About migrate the container from, how should I manage it ? 
Should I re-do the mapping myself ? Like looking into /etc/passwd inside the container then use the root uid + the id found for that user in /etc/passwd and replace the old uid/gid by the new one ? Maybe there is faster/better solution ? 


BQ_END

Don't mess with passwd/group inside the container. Just use fuidshift. 


BQ_BEGIN

I was looking to add an uid/gid mapping to match the container configuration as it was before, but it does not look to work 

I have this as an example in a config file dedicated for the container on the LXC pure host. 
# Container specific configuration 
lxc.id_map = u 0 951968 65536 
lxc.id_map = g 0 951968 65536 

Here is what I did to the new host : 
cat /etc/subuid 
gxd:100000:65536 
root:165536:65536 
root:951968:65536 


BQ_END


The easiest way is to NOT change anything. lxd currently only supports one uid range for unpriv containers. Undo your changes. 


BQ_BEGIN

I also tried to set lxc.raw 

cat << EOF |lxc config set test-ct raw.lxc - 
lxc.id_map = u 0 951968 65536 
lxc.id_map = g 0 951968 65536 
EOF 

But in that case, container does't start. 


BQ_END


... which, as you've found out, doesn't work. 


There's a script to convert lxc -> lxd somewhere on this list, but I usually do things manually: 
(1) create a container in lxd. Start it, stop it, then look at its uid mapping (i.e. "which u/gid owns /var/lib/lxd/containers/container_name/rootfs") 
(2) use fuidshift with "-r" to shift your lxc container u/gid back to privileged, using the starting u/gid value in your original lxc config (should be 951968) 
(3) use fuidshift again, but this time without "-r", to shift your lxc container to unprivileged, using the starting u/gid value from (1) 
(4) move your new lxd container's original rootfs somewhere else (or delete it if you want), then replace it with rootfs from (3) 
(5) start your lxd containers 

-- 
Fajar 

_______________________________________________ 
lxc-users mailing list 
lxc-users at lists.linuxcontainers.org 
http://lists.linuxcontainers.org/listinfo/lxc-users 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160711/52739c1e/attachment.html>

More information about the lxc-users mailing list