[lxc-users] lxc-usernsexec not working any more (differently) in lxc2 when invoked as root user: better solutions?

Fiedler Roman Roman.Fiedler at ait.ac.at
Fri Jun 24 09:17:32 UTC 2016


Hello List,

With LXC1 on Trusty following sequence was used to fill an unprivileged
container as root, where only configuration exists but no content. With LXC2
on Xenial, this results in an error:

cd -- /var/lib/lxc/test/rootfs
lxc-usernsexec -m u:0:296608:65536 -m g:0:296608:65536 -- tar
--numeric-owner --exclude=./dev -xjf
[somepath]/ubuntuxenial1604-i386.tar.bz2
newuidmap: uid range [0-65536) -> [296608-362144) not allowed
error mapping child

Deleting the file "/usr/bin/newuidmap" fixes the problem, but I guess that
is not the best idea :-)

Following command works also ...

bzip2 -cd < [somepath]/ubuntuxenial1604-i386.tar.bz2 | PATH=""
/usr/bin/lxc-usernsexec -m u:0:296608:65536 -m g:0:296608:65536 -- /bin/tar
--numeric-owner --exclude=./dev -x

... but maybe there is a smarter way to avoid that problem? Is there a way
to use "lxc-create" in a way, that it does not touch any file-system
property (mode/owner/xattrs) nor any file content EXCEPT extracting a tar to
the prepared directory? Using PATH does not seem very sensible as it could
provoke regressions as it relies on undocumented internal function of "
lxc-usernsexec".

Kind regards,
Roman

PS: after UID-mapping the procedure should not attempt a chdir: when mapped
and not already inside, it will have no means to reach the container rootfs
location any more (as no other non-host-root process has).


DI Roman Fiedler
Scientist
Digital Safety & Security Department
Assistive Healthcare Information Technology

AIT Austrian Institute of Technology GmbH
Reininghausstraße 13/1 | 8020 Graz | Austria
T +43(0) 50550 2957 | M +43(0) 664 8561599 | F +43(0) 50550 2950
roman.fiedler at ait.ac.at | http://www.ait.ac.at/

FN: 115980 i HG Wien  |  UID: ATU14703506
http://www.ait.ac.at/Email-Disclaimer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6344 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20160624/7a7fe1b9/attachment-0001.bin>


More information about the lxc-users mailing list