[lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??
Yasoda Padala
padala.yasoda at gmail.com
Wed Aug 22 10:15:29 UTC 2018
Thank You Dirk for your response.
It was a permission issue and as you suggested corrected the permissions to
have unprivileged user full access to container's rootfs and it started
working.
Thanks again,
Yasoda
---------- Forwarded message ----------
> From: Yasoda Padala <padala.yasoda at gmail.com>
> To: lxc-users at lists.linuxcontainers.org
> Cc:
> Bcc:
> Date: Tue, 21 Aug 2018 15:37:49 +0530
> Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID
> range for LXC unprivileged containers ??
> Hi Xavier,
> Thank you for your response.
> I even tried with bigger range, but still no luck.
>
> in 1st container (cont1) config,
> lxc.id_map = u 0 100000 1000
> lxc.id_map = g 0 100000 1000
> &
> and in 2nd container (cont2) config:
> lxc.id_map = u 0 101500 1000
> lxc.id_map = g 0 101500 1000
>
> get the same error
>
> lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 -
> Permission denied - Failed to get real path for
> "/home/oxpd/.local/share/lxc/uidranges/rootfs".
>
> lxc-start 20180817035100.984 ERROR lxc_conf -
> conf.c:setup_rootfs:1220 - Failed to mount rootfs
> "/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
> "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
>
> lxc-start 20180817035100.984 ERROR lxc_conf -
> conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'
>
> lxc-start 20180817035100.984 ERROR lxc_conf -
> conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
>
> lxc-start 20180817035100.984 ERROR lxc_start -
> start.c:do_start:811 - Failed to setup container "uidranges".
>
> lxc-start 20180817035100.984 ERROR lxc_sync -
> sync.c:__sync_wait:57 - An error occurred in another process (expected
> sequence number 3)
>
> lxc-start 20180817035100.985 ERROR lxc_start -
> start.c:__lxc_start:1358 - Failed to spawn container "uidranges".
>
> lxc-start 20180817035106.524 ERROR lxc_start_ui -
> tools/lxc_start.c:main:366 - The container failed to start.
>
> lxc-start 20180817035106.525 ERROR lxc_start_ui -
> tools/lxc_start.c:main:368 - To get more details, run the container in
> foreground mode.
>
> lxc-start 20180817035106.525 ERROR lxc_start_ui -
> tools/lxc_start.c:main:370 - Additional information can be obtained by
> setting the --logfile and --logpriority options.
>
> If I try something like below:
> in 1st container (cont1) config,
> lxc.id_map = u 0 100000 1000
> lxc.id_map = g 0 100000 1000
>
> and in 2nd container (cont2) config:
> lxc.id_map = u 0 100000 2000
> lxc.id_map = g 0 100000 2000
>
> it works, but on the host both the containers created by my lxcuser has
> same userid which is 100000. Hence, it is not possible to identify each
> container uniquely on host machine
>
> My query is that, is there any way a non-root user can create various
> containers and each container will have unique UserId on the host machine ??
>
> Thanks for your help,
> Yasoda
>
> From: Xavier Gendre <gendre.reivax at gmail.com>
> To: lxc-users at lists.linuxcontainers.org
> Cc:
> Bcc:
> Date: Mon, 20 Aug 2018 09:24:31 +0200
> Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID
> range for LXC unprivileged containers ??
> Hi Yasoda,
>
> only 10 ids is a bit short for a container. You should increase this
> number to cover at least the system ids 0-999. Depending on the
> distribution you run in your containers, you can be sharper and only
> involve the needed ids but they all have to be covered.
>
> Xavier
>
>
>> On Fri, Aug 17, 2018 at 9:34 AM Yasoda Padala <padala.yasoda at gmail.com>
>> wrote:
>>
>>> Hi All,
>>> I have created non-root user on my Ubuntu (16.04) machine who creates
>>> unprivileged LXC containers.
>>> My user's uid/gid on the host is 1000.
>>> and below are the entries in /etc/subuid & /etc/subgid files
>>>
>>> /etc/subuid:
>>> lxcuser:100000 65536
>>>
>>> /etc/subgid:
>>> lxcuser:100000:65536
>>>
>>> My requirement is for each LXC unprivileged container, I should be able
>>> to pick a UID/GID range.
>>> For instance, I have created two LXC containers cont1 and cont2
>>> in cont1 config, I have added the below id mappings
>>> lxc.id_map = u 0 100000 10
>>> lxc.id_map = g 0 100000 10
>>>
>>> and in con2 config file, I have added the below id mappings
>>> lxc.id_map = u 0 100020 10
>>> lxc.id_map = g 0 100020 10
>>>
>>> cont1 starts successfullly but cont2 gives the below error while
>>> starting the container
>>>
>>> lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798
>>> - Permission denied - Failed to get real path for
>>> "/home/oxpd/.local/share/lxc/uidranges/rootfs".
>>>
>>> lxc-start 20180817035100.984 ERROR lxc_conf -
>>> conf.c:setup_rootfs:1220 - Failed to mount rootfs
>>> "/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
>>> "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
>>>
>>> lxc-start 20180817035100.984 ERROR lxc_conf -
>>> conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'
>>>
>>> lxc-start 20180817035100.984 ERROR lxc_conf -
>>> conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
>>>
>>> lxc-start 20180817035100.984 ERROR lxc_start -
>>> start.c:do_start:811 - Failed to setup container "uidranges".
>>>
>>> lxc-start 20180817035100.984 ERROR lxc_sync -
>>> sync.c:__sync_wait:57 - An error occurred in another process (expected
>>> sequence number 3)
>>>
>>> lxc-start 20180817035100.985 ERROR lxc_start -
>>> start.c:__lxc_start:1358 - Failed to spawn container "uidranges".
>>>
>>> lxc-start 20180817035106.524 ERROR lxc_start_ui -
>>> tools/lxc_start.c:main:366 - The container failed to start.
>>>
>>> lxc-start 20180817035106.525 ERROR lxc_start_ui -
>>> tools/lxc_start.c:main:368 - To get more details, run the container in
>>> foreground mode.
>>>
>>> lxc-start 20180817035106.525 ERROR lxc_start_ui -
>>> tools/lxc_start.c:main:370 - Additional information can be obtained by
>>> setting the --logfile and --logpriority options.
>>>
>>>
>>>
>>> My understanding is lxcuser who has been assigned with id range of
>>> 100000-165536 can assign a distinct subuid/gid ranges for each container
>>> spawned by lxcuser.
>>>
>>> is my understanding correct ?? I am not finding any reference documents
>>> for custom user mappings for LXC unprivileged containers
>>>
>>> Any help on this is highly appreciated.
>>>
>>>
>>>
>>> Thanks & Regards,
>>>
>>> Yasoda
>>>
>>>
>>>
>>>
>
>
> ---------- Forwarded message ----------
> From: Dirk Geschke <dirk at lug-erding.de>
> To: LXC users mailing-list <lxc-users at lists.linuxcontainers.org>
> Cc:
> Bcc:
> Date: Tue, 21 Aug 2018 13:39:08 +0200
> Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID
> range for LXC unprivileged containers ??
> Hi Yasoda,
>
> > get the same error
> >
> > lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798
> -
> > Permission denied - Failed to get real path for
> > "/home/oxpd/.local/share/lxc/uidranges/rootfs".
>
> can you check the directory permissions for
>
> /home/oxpd/.local/share/lxc/uidranges
>
> I think, they should own the LXC-root but the group should
> be yours and mode 770, the group must have full access.
> Otherwise the unprivileged user can't access his own
> container configuration.
>
> Best regards
>
> Dirk
>
> --
> +----------------------------------------------------------------------+
> | Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
> | Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
> | dirk at geschke-online.de / dirk at lug-erding.de / kontakt at lug-erding.de |
> +----------------------------------------------------------------------+
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxcontainers.org/pipermail/lxc-users/attachments/20180822/06a3df8f/attachment-0001.html>
More information about the lxc-users
mailing list