[lxc-users] UID/GID namespacing and FreeIPA

Brian Candler b.candler at pobox.com
Fri Oct 14 13:10:44 UTC 2016 

On 14/10/2016 12:34, Brian Candler wrote:
>
> [root at test ~]# su - admin
> *su: cannot set groups: Invalid argument*
>
> So I'm wondering about the best way to deal with this.
>
> (1) I can try to configure FreeIPA to allocate uids in the "low" 
> range, say 2000+.
>
> (2) I can try to do get lxd to map a larger range, for example map 
> 1134400000 upwards to 2134400000 on the host. But are there problems 
> in that approach? Is there a reason why the default lxd config only 
> maps 64K worth of uids?
>
or option (3): just run all containers in privileged mode. This "just 
works".

[root at test ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root at test ~]# su - admin
su: warning: cannot change directory to /home/admin: No such file or 
directory
-bash-4.2$ id
uid=1134400000(admin) gid=1134400000(admins) groups=1134400000(admins)


Question 1: does security.privileged only affect whether uid mapping is 
done, or are there other rights it gives to the container? I have tried 
googling for this, I can't haven't been able to find out *exactly* what 
security.privileged changes.

Question 2: it seems the uids get fixed automatically. Is lxd simply 
chown'ing all the files recursively, or is there some mapping option set 
at mount time, or something else?

$ lxc stop test
$ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
total 74
lrwxrwxrwx  1 100000 100000   7 Oct 14 03:20 bin -> usr/bin
dr-xr-xr-x  3 100000 100000   3 Oct 14 11:35 boot
$ lxc config set test security.privileged true
$ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
total 74
lrwxrwxrwx  1 100000 100000   7 Oct 14 03:20 bin -> usr/bin
dr-xr-xr-x  3 100000 100000   3 Oct 14 11:35 boot
$ lxc start test
$ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
total 74
lrwxrwxrwx  1 root root   7 Oct 14 03:20 bin -> usr/bin
dr-xr-xr-x  3 root root   3 Oct 14 11:35 boot
$

Thanks,

Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20161014/b7bd2695/attachment.html>

More information about the lxc-users mailing list