[lxc-users] uid range not allowed
Serge E. Hallyn
serge at hallyn.com
Sat Jul 23 13:44:41 UTC 2016
Quoting Christoph Willing (chris.willing at iinet.net.au):
> On 23/07/16 18:16, Andreas Vögele wrote:
> >Christoph Willing writes:
> >
> >>I'm following the guide to run X apps in a container at:
> >> https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
> >>
> >>As a starting point, I have a normal unprivileged container running
> >>perfectly. However when I change the id_map configuration to look
> >>like:
> >>lxc.id_map = u 0 100000 1000
> >>lxc.id_map = g 0 100000 1000
> >>lxc.id_map = u 1000 1000 1
> >>lxc.id_map = g 1000 1000 1
> >>lxc.id_map = u 1001 101001 64535
> >>lxc.id_map = g 1001 101001 64535
> >>
> >>the container fails to start, claiming:
> >>
> >>chris at d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
> >>newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
> >>lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
> >>[...]
> >>Can anyone shed light on this problem please?
> >
> >You've got to add the id to /etc/subuid and /etc/subgid. Example:
> >
> >chris:1000:1
> >chris:100000:65536
>
> Thanks Andreas,
>
> I had the second line but not the first. The container starts
> without error now.
>
> chris
Note that the 1000 throughout here should be replaced by your real
uid and gid. If you just use '1000' but that's not your uid/gid,
then you letting your user own someone else's uid/gid. Which means
any trojan that runs as you has more privilege than you thought.
More information about the lxc-users
mailing list