[lxc-users] Wierd issue with high userID's

Tardif, Christian christian.tardif at servinfo.ca
Tue Nov 8 15:35:54 UTC 2016 

Again, you solved my problems  :-)

That did the job. I have been struggling with this problem over the 
weekend, without any path to this. I understand that this is a 
Linux-related "issue", and not at all directly related to LXD. I'll 
remember that!

On another idea...  do you have any plan to support IPVLAN directly in 
LXD? For our use case (we're deploying LXC containers inside Openstack 
instances), the only viable way without too much hassle on the 
entworking side is to use IPVLAN but, right now, this requests to have 
pre-populated IPVLAN network devices outside of the LXD environment.

---
Christian Tardif

-------------------------

On 2016-11-08 00:11, Stéphane Graber wrote:
> On Tue, Nov 08, 2016 at 03:00:48AM +0000, Christian Tardif wrote:
>> Hi,
>> 
>> I just faced a strange issue with LXD containers. I'm using them quite
>> extensively, but never faced that before. Normally, the userID that 
>> are
>> presented to the container (they're coming from SSSD with 
>> ActiveDirectory
>> backend) are relatively low...   2000, 3000, that kind of ID's
>> 
>> Last friday, at the office, I built two containers (Ubuntu 16.04, 
>> CentOS
>> 7.1) with the same kind of configuration regarding authentication; 
>> SSSD. And
>> I notice that I wasn't able to log in via SSH. But one of my colleague 
>> was
>> able to. We re-checke the config, just to make sure (but at the same 
>> time,
>> it was impossible for this config to fail, as it is presented to the 
>> servers
>> via Puppet. So the same config, and on the same OS level as other 
>> installs
>> (we have numerous Ubuntu 16.04 with the same config, but the first one 
>> on
>> LXD containers).
>> 
>> We were trying to find out what piece was missing when we discover 
>> that this
>> is not just the logging that fails, but everything related to these 
>> high
>> UserID's. They are coming from a calculation based on Windows SID's 
>> for the
>> user, which gives a huge range of userID's, from a few thousands to 
>> tens, if
>> not hundreds thousands.   So with my user, I can't set a permission 
>> with it,
>> and I can't login.In fact, I don't exist with this user other than 
>> using
>> "getent passwd", or "id".
>> 
>> What can be the cause? Something to do with namespaces, maybe?  
>> cgroups?
>> 
>> We'ew in the dark. And until we can solve this, LXD containers aren't 
>> that
>> helpful to us, unfortunately.
>> --------------------------------------------------------------------------------
>> Christian Tardif
> 
> Hey there,
> 
> By default LXD uses a range of 65536 uid and gid as the user namespace
> map for the containers.
> 
> This means that only uid 0 through 65536 exist in your container,
> anything outside of that will be treated as invalid by the kernel.
> 
> 
> sssd and similar authentication mechanisms will typically use uids/gids
> above that POSIX range and so require you to grow the default map size
> in /etc/subuid and /etc/subgid.
> 
> 
> On the systems I use with sssd I typically just bump the allocation for
> lxd and root in /etc/subuid and /etc/subgid from 65536 to 1000000 which
> takes care of that problem.
> 
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list