[lxc-users] uid range not allowed
Christoph Willing
chris.willing at iinet.net.au
Sat Jul 23 07:49:07 UTC 2016
I'm following the guide to run X apps in a container at:
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
As a starting point, I have a normal unprivileged container running
perfectly. However when I change the id_map configuration to look like:
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
the container fails to start, claiming:
chris at d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...
Sure enough, if I comment out the lines:
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
the container runs again - but it's that particular mapping that is
needed in this case.
I set up a log file to priority DEBUG but no extra clues there - it just
says the same thing.
I'm using:
lxc-2.0.1
cgmanager-0.39
with container config file attached.
Can anyone shed light on this problem please?
chris
-------------- next part --------------
# Template used to create this container: /usr/share/lxc/templates/lxc-spbuilder-1402
# Parameters passed to the template: -a x86_64
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.name = eth0
lxc.network.hwaddr = 00:16:3e:d9:8e:4a
lxc.rootfs = /home/chris/.local/share/lxc/x11-test-x86_64/rootfs
lxc.rootfs.backend = dir
lxc.utsname = x11-test-x86_64
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir
lxc.mount.entry = /dev/video0 dev/video0 none bind,optional,create=file
#lxc.hook.pre-start = /home/chris/.local/share/lxc/precise-gui/setup-pulse.sh
lxc.mount.entry = /scratch/PKG/SBo/slackbuilds mnt/slackbuilds none bind,ro,create=dir 0 0
#lxc.mount.entry = /var/cache/spbuilder var/cache/spbuilder none bind,create=dir 0 0
lxc.mount.auto = proc:mixed sys:ro cgroup
lxc.tty = 4
lxc.pts = 1024
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# we don't trust even the root user in the container, better safe than sorry.
# comment out only if you know what you're doing.
lxc.cap.drop = sys_module mknod mac_override mac_admin sys_time setfcap setpcap
# you can try also this alternative to the line above, whatever suits you better.
#lxc.cap.drop=sys_admin
#lxc.id_map = u 0 100000 65536
#lxc.id_map = g 0 100000 65536
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
#lxc.id_map = u 1000 1000 1
#lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
More information about the lxc-users
mailing list