[lxc-users] Container fails to start with 'uid range not allowed'
Serge E. Hallyn
serge at hallyn.com
Sun Jan 29 20:30:00 UTC 2017
Quoting Sean Templeton (seantempleton at outlook.com):
> I have been trying to create an unprivileged container for the past couple days with no success. After having read the entire Internet, I'm about to give up and just create a privileged container. But maybe you all can figure out what I am doing wrong.
>
> I created a user 'zrw' on the host and am trying to map the uid and guid from the container to this user. I have created the container but have otherwise not touched it. My end goal is to install Samba in the container and mount a directory on the host to share out.
>
> When I create the user, /etc/subuid and /etc/subgid automatically have the following added:
> root at server:/# cat /etc/sub* | grep zrw
> zrw:689824:65536
> zrw:689824:65536
>
> but "id -u zrw" and "id -g zrw" both return 1000. Why would 689824 automatically be put in the /etc/sub* files? From all of my reading I thought the uid and guid in the /etc/sub* files should be the same as the user and group ids?
> I changed the subuid and subgid files to
> zrw:689824:65536
> zrw:1000:1
No, subuid and subgid are specificall to delegate new subids to you. You can
always, as uid 1000, map hostuid 1000 to any id in a new user namespace. The
/etc/subuid and /etc/subgid entries allow you to also map other ids into a new
user namespace.
> I then put this mapping in the container's .conf file (along with many other different variations, like id_map = u 0 689824 65536)
> lxc.id_map = u 0 100000 1000
> lxc.id_map = g 0 100000 1000
> lxc.id_map = u 1000 1000 1
> lxc.id_map = g 1000 1000 1
> lxc.id_map = u 1001 100000 64535
> lxc.id_map = g 1001 100000 64535
If you really need files which you own on the host as uid 1000 to be shared
with the container, and owned by the container, then the easiest way, keeping
th original subuid and subgid entries of
zrw:689824:65536
zrw:689824:65536
would be to use:
lxc.id_map = u 0 689824 65536
lxc.id_map = g 0 689824 65536
lxc.id_map = u 100000 1000 1
lxc.id_map = g 100000 1000 1
Then any files owned by 1000 on the host will, in the container, appear
to belong to uid 100000. You can add /etc/passwd and /etc/group entries
to give them a normal looking name.
The danger in this is that the container will then have privilege over any
files which your host user owns.
-serge
More information about the lxc-users
mailing list