[lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??

Yasoda Padala padala.yasoda at gmail.com
Fri Aug 17 04:04:57 UTC 2018 

Hi All,
I have created non-root user on my Ubuntu (16.04) machine who creates
unprivileged LXC containers.
My user's uid/gid on the host is 1000.
and below are the entries in /etc/subuid &  /etc/subgid files

/etc/subuid:
lxcuser:100000 65536

/etc/subgid:
lxcuser:100000:65536

My requirement is for each LXC unprivileged container, I should be able to
pick a UID/GID range.
For instance, I have created two LXC containers cont1 and cont2
in cont1 config, I have added the below id mappings
lxc.id_map = u 0 100000 10
lxc.id_map = g 0 100000 10

and in con2 config file, I have added the below id mappings
lxc.id_map = u 0 100020 10
lxc.id_map = g 0 100020 10

cont1 starts successfullly but cont2 gives the below error while starting
the container

lxc-start 20180817035100.984 ERROR    lxc_conf - conf.c:mount_rootfs:798 -
Permission denied - Failed to get real path for
"/home/oxpd/.local/share/lxc/uidranges/rootfs".

      lxc-start 20180817035100.984 ERROR    lxc_conf -
conf.c:setup_rootfs:1220 - Failed to mount rootfs
"/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".

      lxc-start 20180817035100.984 ERROR    lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'

      lxc-start 20180817035100.984 ERROR    lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn

      lxc-start 20180817035100.984 ERROR    lxc_start -
start.c:do_start:811 - Failed to setup container "uidranges".

      lxc-start 20180817035100.984 ERROR    lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)

      lxc-start 20180817035100.985 ERROR    lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container "uidranges".

      lxc-start 20180817035106.524 ERROR    lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.

      lxc-start 20180817035106.525 ERROR    lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container in
foreground mode.

      lxc-start 20180817035106.525 ERROR    lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.



My understanding is lxcuser who has been assigned with id range of
100000-165536 can assign a distinct subuid/gid  ranges for each container
spawned by lxcuser.

is my understanding correct ?? I am not finding any reference documents for
custom user mappings for LXC unprivileged containers

Any help on this is highly appreciated.



Thanks & Regards,

Yasoda
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180817/1c9e0b22/attachment.html>

More information about the lxc-users mailing list