[lxc-users] uid range not allowed

rob e redgerhoo at yahoo.com.au
Sat Jul 23 08:38:30 UTC 2016 


On 23/07/16 17:49, Christoph Willing wrote:
> I'm following the guide to run X apps in a container at:
> https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
>
> As a starting point, I have a normal unprivileged container running 
> perfectly. However when I change the id_map configuration to look like:
> lxc.id_map = u 0 100000 1000
> lxc.id_map = g 0 100000 1000
> lxc.id_map = u 1000 1000 1
> lxc.id_map = g 1000 1000 1
> lxc.id_map = u 1001 101001 64535
> lxc.id_map = g 1001 101001 64535
>
> the container fails to start, claiming:
>
> chris at d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
> newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
> lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
> ...
> ...
>
> Sure enough, if I comment out the lines:
> lxc.id_map = u 1000 1000 1
> lxc.id_map = g 1000 1000 1
>
> the container runs again - but it's that particular mapping that is 
> needed in this case.
>
> I set up a log file to priority DEBUG but no extra clues there - it 
> just says the same thing.
>
> I'm using:
>     lxc-2.0.1
>     cgmanager-0.39
> with container config file attached.
>
> Can anyone shed light on this problem please?
>
> chris
>
>
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
umm .. I have exactly that setup (user and group id mapping) and it 
works for me. It's what I use for desktop integration. Did you change 
the /etc/sub* files  as per the following ?
https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/

I promise it works here. This is the config for one of my most used 
containers

    # Template used to create this container:
    /usr/share/lxc/templates/lxc-download
    # Parameters passed to the template: -d ubuntu -r xenial -a amd64
    # For additional config options, please look at lxc.container.conf(5)

    # Uncomment the following line to support nesting containers:
    #lxc.include = /usr/share/lxc/config/nesting.conf
    # (Be aware this has security implications)

    # Distribution configuration
    lxc.include = /usr/share/lxc/config/ubuntu.common.conf
    lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
    lxc.arch = x86_64

    # Container specific configuration
    # ------- Replaced -------#
    #lxc.id_map = u 0 100000 65536
    #lxc.id_map = g 0 100000 65536
    # ------- With -------#Permission denied -
    lxc.id_map = u 0 100000 1000
    lxc.id_map = g 0 100000 1000
    lxc.id_map = u 1000 1000 1
    lxc.id_map = g 1000 1000 1
    lxc.id_map = u 1001 101001 64535
    lxc.id_map = g 1001 101001 64535
    # --------------------#

    lxc.rootfs = /mnt/....../<container-name>/rootfs
    lxc.rootfs.backend = dir
    lxc.utsname = <container-name>

    # Network configuration
    lxc.network.type = veth
    lxc.network.link = lxcbr0
    lxc.network.flags = up
    lxc.network.hwaddr = xx:xx:xx:xx:xx:xx

    # =========================== My Additions ========================== #
    ## Set resource limits
    lxc.cgroup.cpuset.cpus = 1-3
    lxc.cgroup.cpu.shares = 256
    lxc.cgroup.memory.limit_in_bytes = 4G
    lxc.cgroup.blkio.weight = 500

    lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
    lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir
    lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none
    bind,optional,create=dir
    # lxc.mount.entry = /dev/video0 dev/video0 none
    bind,optional,create=file # NO CAMERA
    lxc.mount.entry = /dev/fuse dev/fuse none bind,optional,create=file

    #lxc.hook.pre-start = /mnt/...../<container-name>/setup-pulse.sh
    lxc.hook.pre-start = /mnt/.....<container-name>/lxc-devsetup

    lxc.aa_profile = lxc-container-default-with-mounting
    ## lxc.cgroup.devices.allow = typeofdevice majornumber:minornumber
    rwm ... in this case /dev/sr0   (EXCLUDES /dev/sr1)
    lxc.cgroup.devices.allow = b 11:0 rwm
    ## and add /dev/sr1
    lxc.cgroup.devices.allow = b 11:1 rwm
    # Fuse (user mounted filesystem facilitator), character device at
    10:29  (use ls -la /dev/fuse)
    lxc.cgroup.devices.allow = c 10:29 rwm
    # ==================== End Change For Xenial ====================== #


And the /etc/sub* files (modified to protect the innocent ...)
/etc/subuid

    <me>:100000:65536
    <lxd>:165536:65536
    root:165536:65536
    <someone>:231072:65536
    root:1000:1

/etc/subgid

    <me>:100000:65536
    <lxd>:165536:65536
    root:165536:65536
    <someone>:231072:65536
    root:1000:1


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160723/e0f31027/attachment.html>

More information about the lxc-users mailing list