[SOLVED] PVE 6, unprivileged container and uid/gid mapping

[brie]

It has to be something obvious, but I fail to recognize the reason for too long -- I cannot pass thru uid/gid mapping.

The setup is as follows:

PVE 6.1, single machine -- no cluster. Unprivileged container needs to access an NFS share. I mount the share on host and then bind-mount it into the container; this works like a charm. Just for completeness, this is relevant line:

mp0: /mnt/bind/web,mp=/web

with no extra options.

Of course, I get the uid mapping problem. Suggested solution of just chown-ing the share won't work, because the share is used by other machines -- physical and virtual (but no LXC atm) as well. So, [ug]id mapping for the container -- and this is where the problem begins.

Everything I enter into container config and /etc/sub[ug]id results in container hanging; it has to be killed with -9. It complains about newgidmap:

# lxc-start -F -n 303
lxc-start: 303: conf.c: lxc_map_ids: 3012 newgidmap failed to write mapping "newgidmap: write to gid_map failed: Invalid argument": newgidmap 23419 0 100000 100 100 100 1 101 100000 65434
lxc-start: 303: start.c: lxc_spawn: 1825 Failed to set up id mapping.
lxc-start: 303: start.c: lxc_abort: 1133 Function not implemented - Failed to send SIGKILL to 23419
lxc-start: 303: start.c: __lxc_start: 2080 Failed to spawn container "303"
lxc-start: 303: tools/lxc_start.c: main: 329 The container failed to start
lxc-start: 303: tools/lxc_start.c: main: 335 Additional information can be obtained by setting the --logfile and --logpriority options

What I am trying to achieve is: map CT uids 1000-65535 to 1000-65535 on host and map CT gid 100 to 100 on host. Other ids would be shifted by usual 100000.

Relevant config files sections:

lxc.idmap: u 0 100000 1000
lxc.idmap: u 1000 1000 64535
lxc.idmap: g 0 100000 100
lxc.idmap: g 100 100 1
lxc.idmap: g 101 100000 65434

root:100000:65536
root:1000:64536

root:100:1
root:100000:65536

I feel this is some kind of one-off problem, and probably something I'd be ashamed to see explained -- but I fail to recognize the reason.

 

[oguz]

hi,

try like this:

# /etc/pve/lxc/CTID.conf:
lxc.idmap: u 0 100000 100
lxc.idmap: g 0 100000 100
lxc.idmap: u 100 100 1
lxc.idmap: g 100 100 1
lxc.idmap: u 101 100101 65435
lxc.idmap: g 101 100101 65435

# /etc/subuid:
root:100:1

# /etc/subgid:
root:100:1

 

[brie]

Thank you -- now the container starts. And I surely feel stupid Somehow I have interpreted the second number as a "shift" value, not direct mapping -- even though it was obvious from "100 100 1" lines, that I put there in the beginning. Thank you again.

For what I understand, your config maps only CT user 100 to host user 100? Anyway, I have first tried with your unmodified config, and then modified it to "my"

lxc.idmap: u 0 100000 1000
lxc.idmap: u 1000 1000 64535

and that works too. Container runs and I can see the files with their proper owners.

Well, works -- until next obstacle Every write to the share (as uid 100 with your config and 1000+ with mine) results in "Disk quota exceeded". The share has quotas set, but most users are far from reaching the limits. At least I have whole new problem to think about

 

[oguz]

glad to be of help

For what I understand, your config maps only CT user 100 to host user 100?

yes indeed.

you can mark the thread as [SOLVED] so others know what to expect!