Can I ask an uid range not to be mapped in an unprivileged container

[koalillo]

Hi,

I'm running FreeIPA and I would like to use unprivileged containers so I can use Docker in containers.

My Proxmox host is joined to IPA, and my containers too. My FreeIPA install uses 1284000000-1284200000 for uids and gids. This breaks with:

$ cat /etc/subuid
root:100000:65536
$ cat /etc/subgid
root:100000:65536

as the FreeIPA uids/gids break that. Is there a way to ask for the FreeIPA uid/gid ranges *NOT* to be mapped? My uids/gids match between my host and my containers, so it's not really a security problem for me.

Thanks,

Álex

 

[koalillo]

OK, solved this:

1) In /etc/pve/lxc/209.conf

lxc.idmap = u 1284000000 1284000000 200000
lxc.idmap = g 1284000000 1284000000 200000
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

; a noop mapping for my FreeIPA uid/gid range and the "standard one"

2)

$ cat /etc/subuid 
root:100000:65536
root:1284000000:200000

$ cat /etc/subgid
root:100000:65536
root:1284000000:200000

allow root to use the FreeIPA range for containers

 

[el_pedr0]

Hi @koalillo I think I'm trying to achieve what you've done. Just a bit confused. Did you configure the <VMID>.conf file and subuid subgid to keep the original ranges too? i.e. 0 100000 65536?

Why not simply remove those and keep your new ranges?

 

[el_pedr0]

OK. I think I'm starting to getting my head around this. Just in case anyone else comes across this in the same state of confusion that I was in, here are the notes I wrote to myself:

I install FreeIPA on an unprivileged container. Unprivileged containers translate the uids and gids on the container to a different range on the host. This is useful for security because the root on the container with uid=0 is mapped to an arbitrarily high uid on the host (typically 100000) which has no special permissions on the host. So even if the container’s root user were able to escape the container, they’d only find themselves in the host with a uid of 100000 and with the permissions of a nobody user.

However, this presents 2 problems for FreeIPA. Firstly, in the default set up, the container is given only uids in the range 0-65536. But FreeIPA tends to assign uids much higher than that.

Secondly, the uids in the container are mapped to a different set of ids in the host, which I think causes logging into the container as a FreeIPA user to fail (maybe because the uid on the host will not match the uid of the FreeIPA server), and also might cause problems when trying to access shared resources such as files.

The default range of uid/gids that are passed to the container are defined on the host in the files: /etc/subuid and /etc/subgid in the format:
root:100000:65536

which means map the first 65536 uids on the container to the uids starting from 100000 on the host. I.e. root uid = 0 on the container is assigned to 100000 on the host and so on sequentially up to container uid 65536 being assigned to 165536 on the host.

It is not sufficient just to widen this range to include the FreeIPA range because a FreeIPA user’s uid on the container will still be translated to that uid+100000 on the host, whereas we want the FreeIPA uids to be assigned to the same number on the host.

So we need to define two ranges: one where the system IDs (e.g. root uid 0) of the container can be mapped to an arbitrary range on the host for security reasons, and another where the FreeIPA uids of the container can be mapped to the same uids on the host. That's why we have two lines in the /etc/subuid and /etc/subgid files:

root:100000:65536
root:1284000000:200000

In addition we need to map them because we don’t want the uids to be assigned sequentially like they would have been in the default configuration (e.g. container id 10 mapped to host id 100010) because then the FreeIPA ids would still be translated.
So we need to map the lower uids & gids to the arbitrary range on the host and the FreeIPA ones to the same FreeIPA range on the host in /etc/pve/lxc/209.conf

lxc.idmap = u 1284000000 1284000000 200000 
lxc.idmap = g 1284000000 1284000000 200000 
lxc.idmap = u 0 100000 65536 
lxc.idmap = g 0 100000 65536

Four values are provided on each line. First a character, either 'u', or 'g', to specify whether user or group ids are being mapped. Next is the first userid as seen in the user namespace of the container. Next is the userid as seen on the host. Finally, a range indicating the number of consecutive ids to map.

Note that we’re mapping the low IDs to an offset range in the host, but the high ids are being mapped to the same range on the host.

 

[koalillo]

Yeah, sorry, I saw your first message but I was busy and I could not reply- the original post was misformatted and unclear- hope you didn't waste too much time figuring it out.

In the end, I've went back to privileged containers as Docker doesn't work so well for me under LXC, so I'm running it on VMs.

 

[elles]

I am struggling with a similar problem which I posted HERE Except my range is immediately past 65536 which is used by Synology added user groups (GID). For example:

User UID 1107
Group GID 65607

I am struggling with GID 65607. Any help would be really appreciated.

 

[J. Augusto de Oliveira]

This has been working for me, but I am puzzled why it does.

Why the second line mapping on the host is:

root:100000:65536
root:1284000000:200000

And not:

root:100000:65536
1284000000:1284000000:200000

Similar to the mapping inside the container.

 

[chriscarpenter12]

This has been working for me, but I am puzzled why it does.

Why the second line mapping on the host is:

root:100000:65536
root:1284000000:200000

And not:

root:100000:65536
1284000000:1284000000:200000

Similar to the mapping inside the container.

This last piece confuses me too. Did you ever figure this out? Wouldn’t it seem you’d want to start the host mapping at 1284000000 too and not root 0?

 

[el_pedr0]

Hey. Been a while since I looked at this, but I think there might be some confusion arising from 'mapping'. IIRC the lines which you're referring to aren't mappings. They are ranges. So, in these cases, the 'root' user is allowed to impersonate a range of uids from 100000 up to 165536, and a second range from 12840000000 to 12840020000 or whatever it is (see https://man7.org/linux/man-pages/man5/subuid.5.html).

The important thing is that these are definitions of two ranges of ids. They are not mappings.

The mappings happen in the second bit lxc.idmap ..... Here you're mapping the system users onto the first range and the freeipa users onto the higher range.

With that, read my Feb 19 post again to see if it starts to make sense. TBH it's been a long time and I've no longer got a solid handle on it, so please let me know if what I've said in this post is misleading and I'll correct or delete it so as not to spread more confusion.