[lxc-users] Wierd issue with high userID's

Tue Nov 8 17:13:44 UTC 2016

So I had a branch to add ipvlan a while back, it's not exactly hard but
it was a bit weird given that LXD doesn't do L3 configuration of network
devices and an IPVLAN device that's not configured before it's passed to
the container didn't seem very useful.

We were also a bit concerned about potential confusion with macvlan as
they both behave very similarly, except for the fact that you don't get
to configure L2 on an IPVLAN. That point also raised another problem,
which is that LXD usually expects to be able to set and track the mac
address, which isn't really a thing with ipvlan.

On Tue, Nov 08, 2016 at 10:35:54AM -0500, Tardif, Christian wrote:
> Again, you solved my problems  :-)
> 
> That did the job. I have been struggling with this problem over the weekend,
> without any path to this. I understand that this is a Linux-related "issue",
> and not at all directly related to LXD. I'll remember that!
> 
> On another idea...  do you have any plan to support IPVLAN directly in LXD?
> For our use case (we're deploying LXC containers inside Openstack
> instances), the only viable way without too much hassle on the entworking
> side is to use IPVLAN but, right now, this requests to have pre-populated
> IPVLAN network devices outside of the LXD environment.
> 
> ---
> Christian Tardif
> 
> -------------------------
> 
> On 2016-11-08 00:11, Stéphane Graber wrote:
> > On Tue, Nov 08, 2016 at 03:00:48AM +0000, Christian Tardif wrote:
> > > Hi,
> > > 
> > > I just faced a strange issue with LXD containers. I'm using them quite
> > > extensively, but never faced that before. Normally, the userID that
> > > are
> > > presented to the container (they're coming from SSSD with
> > > ActiveDirectory
> > > backend) are relatively low...   2000, 3000, that kind of ID's
> > > 
> > > Last friday, at the office, I built two containers (Ubuntu 16.04,
> > > CentOS
> > > 7.1) with the same kind of configuration regarding authentication;
> > > SSSD. And
> > > I notice that I wasn't able to log in via SSH. But one of my
> > > colleague was
> > > able to. We re-checke the config, just to make sure (but at the same
> > > time,
> > > it was impossible for this config to fail, as it is presented to the
> > > servers
> > > via Puppet. So the same config, and on the same OS level as other
> > > installs
> > > (we have numerous Ubuntu 16.04 with the same config, but the first
> > > one on
> > > LXD containers).
> > > 
> > > We were trying to find out what piece was missing when we discover
> > > that this
> > > is not just the logging that fails, but everything related to these
> > > high
> > > UserID's. They are coming from a calculation based on Windows SID's
> > > for the
> > > user, which gives a huge range of userID's, from a few thousands to
> > > tens, if
> > > not hundreds thousands.   So with my user, I can't set a permission
> > > with it,
> > > and I can't login.In fact, I don't exist with this user other than
> > > using
> > > "getent passwd", or "id".
> > > 
> > > What can be the cause? Something to do with namespaces, maybe?
> > > cgroups?
> > > 
> > > We'ew in the dark. And until we can solve this, LXD containers
> > > aren't that
> > > helpful to us, unfortunately.
> > > --------------------------------------------------------------------------------
> > > Christian Tardif
> > 
> > Hey there,
> > 
> > By default LXD uses a range of 65536 uid and gid as the user namespace
> > map for the containers.
> > 
> > This means that only uid 0 through 65536 exist in your container,
> > anything outside of that will be treated as invalid by the kernel.
> > 
> > 
> > sssd and similar authentication mechanisms will typically use uids/gids
> > above that POSIX range and so require you to grow the default map size
> > in /etc/subuid and /etc/subgid.
> > 
> > 
> > On the systems I use with sssd I typically just bump the allocation for
> > lxd and root in /etc/subuid and /etc/subgid from 65536 to 1000000 which
> > takes care of that problem.
> > 
> > 
> > _______________________________________________
> > lxc-users mailing list
> > lxc-users at lists.linuxcontainers.org
> > http://lists.linuxcontainers.org/listinfo/lxc-users
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

-- 
Stéphane Graber
Ubuntu developer
http://www.ubuntu.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20161108/e840d5d8/attachment.sig>