Can I ask an uid range not to be mapped in an unprivileged container

Discussion in 'Proxmox VE: Installation and configuration' started by koalillo, Dec 7, 2018.

Tags:
  1. koalillo

    koalillo New Member

    Joined:
    Nov 1, 2018
    Messages:
    9
    Likes Received:
    0
    Hi,

    I'm running FreeIPA and I would like to use unprivileged containers so I can use Docker in containers.

    My Proxmox host is joined to IPA, and my containers too. My FreeIPA install uses 1284000000-1284200000 for uids and gids. This breaks with:

    $ cat /etc/subuid
    root:100000:65536
    $ cat /etc/subgid
    root:100000:65536

    as the FreeIPA uids/gids break that. Is there a way to ask for the FreeIPA uid/gid ranges *NOT* to be mapped? My uids/gids match between my host and my containers, so it's not really a security problem for me.

    Thanks,

    Álex
     
  2. koalillo

    koalillo New Member

    Joined:
    Nov 1, 2018
    Messages:
    9
    Likes Received:
    0
    OK, solved this:

    1) In /etc/pve/lxc/209.conf

    lxc.idmap = u 1284000000 1284000000 200000 lxc.idmap = g 1284000000 1284000000 200000 lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536

    ; a noop mapping for my FreeIPA uid/gid range and the "standard one"

    2)

    $ cat /etc/subuid root:100000:65536 root:1284000000:200000 $ cat /etc/subgid root:100000:65536 root:1284000000:200000

    allow root to use the FreeIPA range for containers
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice