[lxc-users] LXD share /var/lib/mysql from host to container and map user/group

Tony P tonypeagleon at gmail.com
Tue Jul 10 18:17:20 UTC 2018


Hi David.

> 2) Unsure what you're attempting to accomplish modifying idmaps + restarting
>   LXD. Maybe you're attempting to defeat container security.

>   A better way to do this is...

>   lxc config set cname security.privileged true
>  lxc restart cname

 I didn't understand this suggestion earlier because I assumed I
wasn't trying to "defeat container security". Basically, your
suggestion was the solution to my problem. Making it a privileged
container allows me to perform a chown mysql:mysql within the
container now since it's the same mysql:mysql of the host. However, I
am wondering... using 'security.privileged true' makes the host root
available within the container right? Since this is just a development
environment, it doesn't matter to me... but would this be dangerous in
a production system? If so, is there a way to do this for just the one
mysql:mysql? Just curious... but my problem is solved now. I should
have tried your suggestion right away.

Thank you so much for the assistance.

On Mon, Jul 9, 2018 at 5:35 PM, David Favor <david at davidfavor.com> wrote:
> Tony P wrote:
>>
>> What's the correct way to share the mysql/mariadb data dir of the host
>> system to a container and map the permissions correctly? I have been
>> struggling with this for a couple of days. I'm sorry if this question has
>> been asked before, but I have searched thoroughly and not been able to find
>> the solution yet. Basically what I have done so far:
>>
>> Install mariadb-server on both host and container and:
>>
>> $ printf "lxd:$(id -u mysql):1\nroot:$(id -u mysql):1\n" | sudo tee -a
>> /etc/subuid
>> $ printf "lxd:$(id -g mysql):1\nroot:$(id -g mysql):1\n" | sudo tee -a
>> /etc/subgid
>> $ sudo systemctl restart lxd
>> $ printf "uid $(id -u mysql) 1000\ngid $(id -g mysql) 1000" | lxc config
>> set $CONTAINER_NAME raw.idmap -
>> $ lxc restart $CONTAINER_NAME
>> $ sudo lxc config device add $CONTAINER_NAME mysql disk
>> source=/var/lib/mysql path=/var/lib/mysql
>> Unfortunately, this breaks the container and prevents it from starting
>> since the mapping isn't allowed.
>>
>> $ sudo lxc info --show-log ub1804x64-3
>>
>> Name: ub1804x64-3
>> Remote: unix://
>> Architecture: x86_64
>> Created: 2018/07/09 15:30 UTC
>> Status: Stopped
>> Type: persistent
>> Profiles: default
>>
>> Log:
>>
>> lxc ub1804x64-3 20180709154554.682 ERROR    lxc_conf -
>> conf.c:lxc_map_ids:2919 - newuidmap failed to write mapping "newuidmap: uid
>> range [1000-1001) -> [114-115) not allowed": newuidmap 6725 0 100000 1000
>> 1000 114 1 1001 101001 64535
>> lxc ub1804x64-3 20180709154554.682 ERROR    lxc_start -
>> start.c:lxc_spawn:1661 - Failed to set up id mapping.
>> lxc ub1804x64-3 20180709154554.755 WARN     lxc_network -
>> network.c:lxc_delete_network_priv:2607 - Failed to remove interface
>> "veth38DOB9" from "lxdbr0": Invalid argument
>> lxc ub1804x64-3 20180709154554.755 ERROR    lxc_container -
>> lxccontainer.c:wait_on_daemonized_start:834 - Received container state
>> "ABORTING" instead of "RUNNING"
>> lxc ub1804x64-3 20180709154554.756 ERROR    lxc_start -
>> start.c:__lxc_start:1887 - Failed to spawn container "ub1804x64-3"
>> lxc 20180709154554.775 WARN     lxc_commands -
>> commands.c:lxc_cmd_rsp_recv:130 - Connection reset by peer - Failed to
>> receive response for command "get_state"
>> I'm basically following this article
>> (https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/)
>> written by Stéphane Graber (the super awesome primary LXD developer) to
>> achieve this. I'll admit that I don't fully understand what's going on here,
>> if someone could help me understand my mistake a bit better, I'd really
>> appreciate it. I have a feeling I have the range wrong (1000?). I previously
>> attempted doing the same by manually adding the mysql user/group and trying
>> to map those (instead of installing mysql), but that also didn't work out
>> (Same error). This is what I tried before trying the mapping):
>>
>> $ sudo groupadd mysql
>> $ sudo useradd -r -g mysql mysql
>>
>> I also tried with: $ printf "both $(id -u mysql) $(id -u mysql)" | lxc
>> config set $CONTAINER_NAME raw.idmap -
>>
>> Then the error I get is:
>>
>> $ sudo lxc info --show-log tmp3
>>
>> Name: tmp3
>> Remote: unix://
>> Architecture: x86_64
>> Created: 2018/07/09 20:32 UTC
>> Status: Stopped
>> Type: persistent
>> Profiles: default
>>
>> Log:
>>
>> lxc tmp3 20180709204423.805 ERROR    lxc_conf - conf.c:lxc_map_ids:2919 -
>> newgidmap failed to write mapping "newgidmap: gid range [114-115) ->
>> [114-115) not allowed": newgidmap 30081 114 114 1 0 100000 114 115 100115
>> 65421
>> lxc tmp3 20180709204423.805 ERROR    lxc_start - start.c:lxc_spawn:1661 -
>> Failed to set up id mapping.
>> lxc tmp3 20180709204423.876 WARN     lxc_network -
>> network.c:lxc_delete_network_priv:2607 - Failed to remove interface
>> "vethYL869L" from "lxdbr0": Invalid argument
>> lxc tmp3 20180709204423.876 ERROR    lxc_container -
>> lxccontainer.c:wait_on_daemonized_start:834 - Received container state
>> "ABORTING" instead of "RUNNING"
>> lxc tmp3 20180709204423.877 ERROR    lxc_start - start.c:__lxc_start:1887
>> - Failed to spawn container "tmp3"
>> lxc 20180709204423.897 WARN     lxc_commands -
>> commands.c:lxc_cmd_rsp_recv:130 - Connection reset by peer - Failed to
>> receive response for command "get_state"
>>
>>
>> I'm using LXD 3.0.1 running on host Ubuntu 18.04 amd64 and testing with a
>> Ubuntu 18.04 amd64 container
>>
>> Thanks for your help in advance!!
>
>
> Things to keep in mind.
>
> 1) If you end up with a machine level instance of MariaDB running along
>    with a container level instance of MariaDB running with a shared
>    /var/lib/mysql, then all your data will be corrupt.
>
>    Likely best to have a machine level database directory named
>    something different than /var/lib/mysql, in case you ever accidentally
>    install a machine level version of mariadb-server packages.
>
> 2) Unsure what you're attempting to accomplish modifying idmaps + restarting
>    LXD. Maybe you're attempting to defeat container security.
>
>    A better way to do this is...
>
>    lxc config set cname security.privileged true
>    lxc restart cname
>
> 3) All this said, likely be useful for you to describe your target
> objective.
>
>    Likely knowing this, someone has already accomplished what you're trying
>    to accomplish + will have some good suggestions.
>
> 4) Keep in mind, depending on how you finalize all this, container
>    remote move + copy operations may fail to clone your database data.
>
>    Even if you do end up with a /var/lib/mysql in your newly created
>    remote container, you'll likely loose your machine/container
>    filesystem mapping.
>
>
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users


More information about the lxc-users mailing list