0

I cannot get my head around the userns-idmap mapping ie with sub{uid,gid} mapping stuff.

Here's what I have:

# lxc launch images:ubuntu/22.04 c1
# lxc config device add c1 home disk source=/home/user3/ path=/home/user3
# lxc config device add c1 shared disk source=/mnt/shared path=/mnt/shared

Then I added a user and group to the container:

# lxc exec c1 bash
# groupadd -g 1003 user3
# groupadd -g 1004 shared
# useradd -u 1003 -g 1003 -G shared user3
  • The user user3 has the uid 1003 on the host and belongs to the group shared (as well as its own)
  • The group shared has the gid of 1004

Here's my sub{uid,gid}:

sudo tee /etc/sub{uid,gid} <<EOF
root:1000:65536
user0:100000:65536
user1:100001:65536
user2:100002:65536
user3:100003:65536
EOF

sudo tee -a /etc/subgid <<EOF
shared:100004:1
EOF

I want to map user3's uid 1003 and gid 1003 into the container. I also want to map shared which is 1004 on the host into the container.

  1. Is my /etc/sub{uid,gid} correct?
  2. What do i need for the raw.idmap command?
  3. I want to make a c2 container which has home directories for user0-3 mapped through.

I tried:

# printf 'both 1003 1003\ngid 1004 1\n' | lxc config set c1 raw.lxc -

to begin with, but was getting the error:

ERROR conf - ../src/lxc/conf.c:lxc_map_ids:3672 - newuidmap failed to write mapping "newuidmap: uid range [1001-1002) -> [100003-100004) not allowed": newuidmap 22185 0 1000 1001 1001 10000

ERROR start - ../src/lxc/start.c:lxc_spawn:1791 - Failed to set up id mapping.

dogman
  • 11
  • 3

2 Answers2

0

Your subuid definitions are overlapping, which is not allowed.

user0:100000:65536

This means user0 gets 100000 to 165535. This also means that the next user has to start at 165536.

user1:165536:65536

The next gets

user2:231072:65536

and so on.

Gerald Schneider
  • 19,757
  • 8
  • 52
  • 79
  • What would the `raw.idmap` look like then for passing in `user2` (in your example) and the `shared` group? – dogman Aug 01 '22 at 07:23
  • Sorry, I'm not familiar with shared subuids and I don't know what you mean by `raw.idmap`. – Gerald Schneider Aug 01 '22 at 07:35
  • It's a part of [custom-idmaps](https://linuxcontainers.org/lxd/docs/master/userns-idmap/#custom-idmaps). Basically trying to do [Add a shared host directory to an LXC/LXD container (read-write mode)](https://www.cyberciti.biz/faq/how-to-add-or-mount-directory-in-lxd-linux-container/) – dogman Aug 01 '22 at 08:29
0

So I found the solution to this.

I needed:

cat /etc/subuid
root:1000:1
root:1001:1
root:1002:1
root:1003:1
root:100000:65536
lxd:100000:65536

$ cat /etc/subgid
root:1000:1
root:1001:1
root:1002:1
root:1003:1
root:1004:1
root:100000:65536
lxd:100000:65536

The reason it had to be root was because because LXD launches LXC containers as the host's root user. The containers themselves are still unprivileged (in that root inside the container isn't root on the host).

Further it was needed to also add an entry to /etc/lxc/default.conf of:

lxc.idmap = u 0 100000 1000
lxc.idmap = g 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 101001 0
lxc.idmap = g 1001 101001 0
lxc.idmap = u 1001 1001 1
lxc.idmap = g 1001 1001 1
lxc.idmap = u 1002 101002 0
lxc.idmap = g 1002 101002 0
lxc.idmap = u 1002 1002 1
lxc.idmap = g 1002 1002 1
lxc.idmap = u 1003 101003 0
lxc.idmap = g 1003 101003 0
lxc.idmap = u 1003 1003 1
lxc.idmap = g 1003 1003 1
lxc.idmap = u 1004 101004 64532
lxc.idmap = g 1004 1004 1
lxc.idmap = g 1005 101005 64532

For generating this I found proxmox-lxc-idmapper which helped me generate the correct lxc.idmap.

Note though the tool is not without bugs, so you should check the output carefully, to make sure it's actually what you want.

dogman
  • 11
  • 3