[lxc-users] Wierd issue with high userID's

Stéphane Graber stgraber at ubuntu.com
Tue Nov 8 05:11:30 UTC 2016 

On Tue, Nov 08, 2016 at 03:00:48AM +0000, Christian Tardif wrote:
> Hi,
> 
> I just faced a strange issue with LXD containers. I'm using them quite
> extensively, but never faced that before. Normally, the userID that are
> presented to the container (they're coming from SSSD with ActiveDirectory
> backend) are relatively low...   2000, 3000, that kind of ID's
> 
> Last friday, at the office, I built two containers (Ubuntu 16.04, CentOS
> 7.1) with the same kind of configuration regarding authentication; SSSD. And
> I notice that I wasn't able to log in via SSH. But one of my colleague was
> able to. We re-checke the config, just to make sure (but at the same time,
> it was impossible for this config to fail, as it is presented to the servers
> via Puppet. So the same config, and on the same OS level as other installs
> (we have numerous Ubuntu 16.04 with the same config, but the first one on
> LXD containers).
> 
> We were trying to find out what piece was missing when we discover that this
> is not just the logging that fails, but everything related to these high
> UserID's. They are coming from a calculation based on Windows SID's for the
> user, which gives a huge range of userID's, from a few thousands to tens, if
> not hundreds thousands.   So with my user, I can't set a permission with it,
> and I can't login.In fact, I don't exist with this user other than using
> "getent passwd", or "id".
> 
> What can be the cause? Something to do with namespaces, maybe?  cgroups?
> 
> We'ew in the dark. And until we can solve this, LXD containers aren't that
> helpful to us, unfortunately.
> --------------------------------------------------------------------------------
> Christian Tardif

Hey there,

By default LXD uses a range of 65536 uid and gid as the user namespace
map for the containers.

This means that only uid 0 through 65536 exist in your container,
anything outside of that will be treated as invalid by the kernel.


sssd and similar authentication mechanisms will typically use uids/gids
above that POSIX range and so require you to grow the default map size
in /etc/subuid and /etc/subgid.


On the systems I use with sssd I typically just bump the allocation for
lxd and root in /etc/subuid and /etc/subgid from 65536 to 1000000 which
takes care of that problem.


-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20161108/ff2460cd/attachment.sig>

More information about the lxc-users mailing list