[lxc-users] UID/GID namespacing and FreeIPA

Serge E. Hallyn serge at hallyn.com
Fri Oct 14 15:08:19 UTC 2016 

On Fri, Oct 14, 2016 at 02:10:44PM +0100, Brian Candler wrote:
> On 14/10/2016 12:34, Brian Candler wrote:
> >
> >[root at test ~]# su - admin
> >*su: cannot set groups: Invalid argument*
> >
> >So I'm wondering about the best way to deal with this.
> >
> >(1) I can try to configure FreeIPA to allocate uids in the "low"
> >range, say 2000+.
> >
> >(2) I can try to do get lxd to map a larger range, for example map
> >1134400000 upwards to 2134400000 on the host. But are there
> >problems in that approach? Is there a reason why the default lxd
> >config only maps 64K worth of uids?
> >
> or option (3): just run all containers in privileged mode. This
> "just works".
> 
> [root at test ~]# id
> uid=0(root) gid=0(root) groups=0(root)
> [root at test ~]# su - admin
> su: warning: cannot change directory to /home/admin: No such file or
> directory
> -bash-4.2$ id
> uid=1134400000(admin) gid=1134400000(admins) groups=1134400000(admins)
> 
> 
> Question 1: does security.privileged only affect whether uid mapping
> is done, or are there other rights it gives to the container? I have
> tried googling for this, I can't haven't been able to find out
> *exactly* what security.privileged changes.

It leaves the container in the initial user namespace, allowing root in
the container to have its capabilities apply to host resources.  For
instance allowing it to set file capabliities which will be respected
on the host system (allowing an unprivileged user outside the container
with access to such files to gain host root privs)

> Question 2: it seems the uids get fixed automatically. Is lxd simply
> chown'ing all the files recursively,

At container creation, yes.  While the container runs, the kernel
does the mapping automatically based on the user namespace mapping
at syscall boundary.

> or is there some mapping option
> set at mount time, or something else?
> 
> $ lxc stop test
> $ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
> total 74
> lrwxrwxrwx  1 100000 100000   7 Oct 14 03:20 bin -> usr/bin
> dr-xr-xr-x  3 100000 100000   3 Oct 14 11:35 boot
> $ lxc config set test security.privileged true
> $ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
> total 74
> lrwxrwxrwx  1 100000 100000   7 Oct 14 03:20 bin -> usr/bin
> dr-xr-xr-x  3 100000 100000   3 Oct 14 11:35 boot
> $ lxc start test
> $ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
> total 74
> lrwxrwxrwx  1 root root   7 Oct 14 03:20 bin -> usr/bin
> dr-xr-xr-x  3 root root   3 Oct 14 11:35 boot
> $
> 
> Thanks,
> 
> Brian.

> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list