[lxc-users] uid range not allowed

Christoph Willing chris.willing at iinet.net.au
Sat Jul 23 10:03:31 UTC 2016


On 23/07/16 18:38, rob e wrote:
>
>
> On 23/07/16 17:49, Christoph Willing wrote:
>> I'm following the guide to run X apps in a container at:
>>       https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
>>
>> As a starting point, I have a normal unprivileged container running
>> perfectly. However when I change the id_map configuration to look like:
>> lxc.id_map = u 0 100000 1000
>> lxc.id_map = g 0 100000 1000
>> lxc.id_map = u 1000 1000 1
>> lxc.id_map = g 1000 1000 1
>> lxc.id_map = u 1001 101001 64535
>> lxc.id_map = g 1001 101001 64535
>>
>> the container fails to start, claiming:
>>
>> chris at d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
>> newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
>> lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
>> ...
>> ...
>>
>> Sure enough, if I comment out the lines:
>> lxc.id_map = u 1000 1000 1
>> lxc.id_map = g 1000 1000 1
>>
>> the container runs again - but it's that particular mapping that is
>> needed in this case.
>>
>> I set up a log file to priority DEBUG but no extra clues there - it
>> just says the same thing.
>>
>> I'm using:
>>     lxc-2.0.1
>>     cgmanager-0.39
>> with container config file attached.
>>
>> Can anyone shed light on this problem please?
>>
>> chris
>>
>>
>>
>>
>> _______________________________________________
>> lxc-users mailing list
>> lxc-users at lists.linuxcontainers.org
>> http://lists.linuxcontainers.org/listinfo/lxc-users
> umm .. I have exactly that setup (user and group id mapping) and it
> works for me. It's what I use for desktop integration. Did you change
> the /etc/sub* files  as per the following ?
> https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
>
[snip]

Yes, from that site I already had chris:100000:65536

What was missing was a chris:1000:1 entry, so now I have:
     chris:1000:1
     chris:100000:65536

which is allowing container startup without any error.

I see you have a root:1000:1 entry - that didn't work for me. I guess 
you're running yours as privileged containers?

chris


> And the /etc/sub* files (modified to protect the innocent ...)
> /etc/subuid
>
>     <me>:100000:65536
>     <lxd>:165536:65536
>     root:165536:65536
>     <someone>:231072:65536
>     root:1000:1
>
> /etc/subgid
>
>     <me>:100000:65536
>     <lxd>:165536:65536
>     root:165536:65536
>     <someone>:231072:65536
>     root:1000:1
>
>



More information about the lxc-users mailing list