[lxc-users] uid range not allowed

Chris Willing cwillling at users.sourceforge.net
Sat Jul 23 07:08:53 UTC 2016


I'm following the guide to run X apps in a container at:
      https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

As a starting point, I have a normal unprivileged container running 
perfectly. However when I change the id_map configuration to look like:
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535

the container fails to start, claiming:

chris at d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...

Sure enough, if I comment out the lines:
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1

the container runs again - but it's that particular mapping that is 
needed in this case.

I set up a log file to priority DEBUG but no extra clues there - it just 
says the same thing.

I'm using:
    lxc-2.0.1
    cgmanager-0.39
with container config file attached.

Can anyone shed light on this problem please?

chris

-------------- next part --------------
# Template used to create this container: /usr/share/lxc/templates/lxc-spbuilder-1402
# Parameters passed to the template: -a x86_64
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.name = eth0
lxc.network.hwaddr = 00:16:3e:d9:8e:4a
lxc.rootfs = /home/chris/.local/share/lxc/x11-test-x86_64/rootfs
lxc.rootfs.backend = dir

lxc.utsname = x11-test-x86_64

lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir
lxc.mount.entry = /dev/video0 dev/video0 none bind,optional,create=file

#lxc.hook.pre-start = /home/chris/.local/share/lxc/precise-gui/setup-pulse.sh

lxc.mount.entry = /scratch/PKG/SBo/slackbuilds mnt/slackbuilds none bind,ro,create=dir 0 0
#lxc.mount.entry = /var/cache/spbuilder var/cache/spbuilder none bind,create=dir 0 0
lxc.mount.auto = proc:mixed sys:ro cgroup

lxc.tty = 4
lxc.pts = 1024

lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm

# we don't trust even the root user in the container, better safe than sorry.
# comment out only if you know what you're doing.
lxc.cap.drop = sys_module mknod mac_override mac_admin sys_time setfcap setpcap

# you can try also this alternative to the line above, whatever suits you better.
#lxc.cap.drop=sys_admin
#lxc.id_map = u 0 100000 65536
#lxc.id_map = g 0 100000 65536

lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
#lxc.id_map = u 1000 1000 1
#lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535


More information about the lxc-users mailing list