[lxc-users] UID/GID namespacing and FreeIPA
Brian Candler
b.candler at pobox.com
Fri Oct 14 13:10:44 UTC 2016
On 14/10/2016 12:34, Brian Candler wrote:
>
> [root at test ~]# su - admin
> *su: cannot set groups: Invalid argument*
>
> So I'm wondering about the best way to deal with this.
>
> (1) I can try to configure FreeIPA to allocate uids in the "low"
> range, say 2000+.
>
> (2) I can try to do get lxd to map a larger range, for example map
> 1134400000 upwards to 2134400000 on the host. But are there problems
> in that approach? Is there a reason why the default lxd config only
> maps 64K worth of uids?
>
or option (3): just run all containers in privileged mode. This "just
works".
[root at test ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root at test ~]# su - admin
su: warning: cannot change directory to /home/admin: No such file or
directory
-bash-4.2$ id
uid=1134400000(admin) gid=1134400000(admins) groups=1134400000(admins)
Question 1: does security.privileged only affect whether uid mapping is
done, or are there other rights it gives to the container? I have tried
googling for this, I can't haven't been able to find out *exactly* what
security.privileged changes.
Question 2: it seems the uids get fixed automatically. Is lxd simply
chown'ing all the files recursively, or is there some mapping option set
at mount time, or something else?
$ lxc stop test
$ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
total 74
lrwxrwxrwx 1 100000 100000 7 Oct 14 03:20 bin -> usr/bin
dr-xr-xr-x 3 100000 100000 3 Oct 14 11:35 boot
$ lxc config set test security.privileged true
$ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
total 74
lrwxrwxrwx 1 100000 100000 7 Oct 14 03:20 bin -> usr/bin
dr-xr-xr-x 3 100000 100000 3 Oct 14 11:35 boot
$ lxc start test
$ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
total 74
lrwxrwxrwx 1 root root 7 Oct 14 03:20 bin -> usr/bin
dr-xr-xr-x 3 root root 3 Oct 14 11:35 boot
$
Thanks,
Brian.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20161014/b7bd2695/attachment.html>
More information about the lxc-users
mailing list