[lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??
Xavier Gendre
gendre.reivax at gmail.com
Mon Aug 20 07:24:31 UTC 2018
Hi Yasoda,
only 10 ids is a bit short for a container. You should increase this
number to cover at least the system ids 0-999. Depending on the
distribution you run in your containers, you can be sharper and only
involve the needed ids but they all have to be covered.
Xavier
Le 20/08/2018 à 09:13, Yasoda Padala a écrit :
> Hi All,
> can someone please help me with the above query..
>
> Thans & Regards,
> Yasoda
>
> On Fri, Aug 17, 2018 at 9:34 AM Yasoda Padala <padala.yasoda at gmail.com
> <mailto:padala.yasoda at gmail.com>> wrote:
>
> Hi All,
> I have created non-root user on my Ubuntu (16.04) machine who
> creates unprivileged LXC containers.
> My user's uid/gid on the host is 1000.
> and below are the entries in /etc/subuid & /etc/subgid files
>
> /etc/subuid:
> lxcuser:100000 65536
>
> /etc/subgid:
> lxcuser:100000:65536
>
> My requirement is for each LXC unprivileged container, I should be
> able to pick a UID/GID range.
> For instance, I have created two LXC containers cont1 and cont2
> in cont1 config, I have added the below id mappings
> lxc.id_map = u 0 100000 10
> lxc.id_map = g 0 100000 10
>
> and in con2 config file, I have added the below id mappings
> lxc.id_map = u 0 100020 10
> lxc.id_map = g 0 100020 10
>
> cont1 starts successfullly but cont2 gives the below error while
> starting the container
>
> lxc-start 20180817035100.984 ERROR lxc_conf -
> conf.c:mount_rootfs:798 - Permission denied - Failed to get real
> path for "/home/oxpd/.local/share/lxc/uidranges/rootfs".
>
> lxc-start 20180817035100.984 ERROR lxc_conf -
> conf.c:setup_rootfs:1220 - Failed to mount rootfs
> "/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
> "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
>
> lxc-start 20180817035100.984 ERROR lxc_conf -
> conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'
>
> lxc-start 20180817035100.984 ERROR lxc_conf -
> conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
>
> lxc-start 20180817035100.984 ERROR lxc_start -
> start.c:do_start:811 - Failed to setup container "uidranges".
>
> lxc-start 20180817035100.984 ERROR lxc_sync -
> sync.c:__sync_wait:57 - An error occurred in another process
> (expected sequence number 3)
>
> lxc-start 20180817035100.985 ERROR lxc_start -
> start.c:__lxc_start:1358 - Failed to spawn container "uidranges".
>
> lxc-start 20180817035106.524 ERROR lxc_start_ui -
> tools/lxc_start.c:main:366 - The container failed to start.
>
> lxc-start 20180817035106.525 ERROR lxc_start_ui -
> tools/lxc_start.c:main:368 - To get more details, run the container
> in foreground mode.
>
> lxc-start 20180817035106.525 ERROR lxc_start_ui -
> tools/lxc_start.c:main:370 - Additional information can be obtained
> by setting the --logfile and --logpriority options.
>
> My understanding is lxcuser who has been assigned with id range of
> 100000-165536 can assign a distinct subuid/gid ranges for each
> container spawned by lxcuser.
>
> is my understanding correct ?? I am not finding any reference
> documents for custom user mappings for LXC unprivileged containers
>
> Any help on this is highly appreciated.
>
>
>
> Thanks & Regards,
>
> Yasoda
>
>
>
>
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
>
More information about the lxc-users
mailing list