[lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??

Xavier Gendre gendre.reivax at gmail.com
Mon Aug 20 07:24:31 UTC 2018


Hi Yasoda,

only 10 ids is a bit short for a container. You should increase this 
number to cover at least the system ids 0-999. Depending on the 
distribution you run in your containers, you can be sharper and only 
involve the needed ids but they all have to be covered.

Xavier

Le 20/08/2018 à 09:13, Yasoda Padala a écrit :
> Hi All,
> can someone please help me with the above query..
> 
> Thans & Regards,
> Yasoda
> 
> On Fri, Aug 17, 2018 at 9:34 AM Yasoda Padala <padala.yasoda at gmail.com 
> <mailto:padala.yasoda at gmail.com>> wrote:
> 
>     Hi All,
>     I have created non-root user on my Ubuntu (16.04) machine who
>     creates unprivileged LXC containers.
>     My user's uid/gid on the host is 1000.
>     and below are the entries in /etc/subuid &  /etc/subgid files
> 
>     /etc/subuid:
>     lxcuser:100000 65536
> 
>     /etc/subgid:
>     lxcuser:100000:65536
> 
>     My requirement is for each LXC unprivileged container, I should be
>     able to pick a UID/GID range.
>     For instance, I have created two LXC containers cont1 and cont2
>     in cont1 config, I have added the below id mappings
>     lxc.id_map = u 0 100000 10
>     lxc.id_map = g 0 100000 10
> 
>     and in con2 config file, I have added the below id mappings
>     lxc.id_map = u 0 100020 10
>     lxc.id_map = g 0 100020 10
> 
>     cont1 starts successfullly but cont2 gives the below error while
>     starting the container
> 
>     lxc-start 20180817035100.984 ERROR lxc_conf -
>     conf.c:mount_rootfs:798 - Permission denied - Failed to get real
>     path for "/home/oxpd/.local/share/lxc/uidranges/rootfs".
> 
>            lxc-start 20180817035100.984 ERROR    lxc_conf -
>     conf.c:setup_rootfs:1220 - Failed to mount rootfs
>     "/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
>     "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
> 
>            lxc-start 20180817035100.984 ERROR    lxc_conf -
>     conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'
> 
>            lxc-start 20180817035100.984 ERROR    lxc_conf -
>     conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
> 
>            lxc-start 20180817035100.984 ERROR    lxc_start -
>     start.c:do_start:811 - Failed to setup container "uidranges".
> 
>            lxc-start 20180817035100.984 ERROR    lxc_sync -
>     sync.c:__sync_wait:57 - An error occurred in another process
>     (expected sequence number 3)
> 
>            lxc-start 20180817035100.985 ERROR    lxc_start -
>     start.c:__lxc_start:1358 - Failed to spawn container "uidranges".
> 
>            lxc-start 20180817035106.524 ERROR    lxc_start_ui -
>     tools/lxc_start.c:main:366 - The container failed to start.
> 
>            lxc-start 20180817035106.525 ERROR    lxc_start_ui -
>     tools/lxc_start.c:main:368 - To get more details, run the container
>     in foreground mode.
> 
>            lxc-start 20180817035106.525 ERROR    lxc_start_ui -
>     tools/lxc_start.c:main:370 - Additional information can be obtained
>     by setting the --logfile and --logpriority options.
> 
>     My understanding is lxcuser who has been assigned with id range of
>     100000-165536 can assign a distinct subuid/gid  ranges for each
>     container spawned by lxcuser.
> 
>     is my understanding correct ?? I am not finding any reference
>     documents for custom user mappings for LXC unprivileged containers
> 
>     Any help on this is highly appreciated.
> 
> 
> 
>     Thanks & Regards,
> 
>     Yasoda
> 
> 
> 
> 
> 
> 
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
> 



More information about the lxc-users mailing list