[lxc-users] snapshots of unprivileged containers belong to root

Jan Kowalsky jankow at datenkollektiv.net
Thu Jun 15 15:21:38 UTC 2017


Hi all,

after further investigation I realized that the difference was that the
second container where it worked was with rootfs as btrfs subvol but the
first one (copied from original container) wasn't.

Ok, this explains the difference behaviour. And it comes even more
obfuscating: The conaitainer I snapshotted with

lxc-copy -n deb_template -N cont1 -s

does have the snapshotted root filesystem of the host machine - not of
the container. Probably because the original container doesn't have any
btrfs subvulume as root.

But this looks as a bug for me:

If I use
  lxc-copy -n cont1 -N cont2 -s
but cont1 doesn't include a btrfs subvolume as rootfs but the
lxc.rootfs.backend is set to btrfs it uses the next upper subvolume for
rootfs.

Ok. But why a normal can achive a new rootfs which belongs to root?

Regards
Jan

Am 14.06.2017 um 15:44 schrieb Jan Kowalsky:
> Hi,
> 
> I'm new on the list, so hello to all.
> 
> While experimenting with unprivileged containers (@stgraber: thanks for
> the excellent howtos) I discovered a phenomena I can't explain to me.
> 
> Debian Stretch
> lxc 2.0.7-2: amd64
> btrfs filesystem
> 
> I converted an container I bootstrapped as root from a debian stretch
> template to a unprivileged container for a user "lxcuser".
> 
> cp -a /var/lib/lxc/deb_template /home/lxcuser/.local/share/lxc/
> 
> After that I changed the uids of the new rootfs according to the subuids
> of lxcuser. After fixing file permissions and configuration everything
> works fine.
> 
> Now the interesting things:
> 
> while clone the new container as the user lxcuser with
> 
> lxc-copy -n deb_template -N cont1
> 
> everything works as aspacted. The new rootfs of cont1 got the right uids.
> 
> But if I do the same as a snapshot
> 
> lxc-copy -n deb_template -N cont2 -s
> 
> I get the error
> 
> newgidmap: write to gid_map failed: Invalid argument
> error mapping child
> setgid: Invalid argument
> sed: couldn't open temporary file
> /home/lxcuser/.local/share/lxc/cont3/rootfs/etc/sed6iYKSh: Permission denied
> lxc-copy: lxccontainer.c: clone_update_rootfs: 3011 Permission denied -
> unable to open /usr/lib/x86_64-linux-gnu/lxc/rootfs/etc/hostname: ignoring
> 
> AND: all Files in cont3/rootfs/ belong now root!!
> 
> If I do the same with the first copied container (without snapshot)
> "cont1" again everything works fine except the following error:
> 
> 
> newgidmap: gid range [231072-231073) -> [462144-462145) not allowed
> error mapping child
> setgid: Invalid argument
> 
> Any ideas?
> 
> Best Regards
> Jan
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
> 


More information about the lxc-users mailing list