Can I ask an uid range not to be mapped in an unprivileged container

Discussion in 'Proxmox VE: Installation and configuration' started by koalillo, Dec 7, 2018.

Tags:
  1. koalillo

    koalillo New Member

    Joined:
    Nov 1, 2018
    Messages:
    10
    Likes Received:
    0
    Hi,

    I'm running FreeIPA and I would like to use unprivileged containers so I can use Docker in containers.

    My Proxmox host is joined to IPA, and my containers too. My FreeIPA install uses 1284000000-1284200000 for uids and gids. This breaks with:

    $ cat /etc/subuid
    root:100000:65536
    $ cat /etc/subgid
    root:100000:65536

    as the FreeIPA uids/gids break that. Is there a way to ask for the FreeIPA uid/gid ranges *NOT* to be mapped? My uids/gids match between my host and my containers, so it's not really a security problem for me.

    Thanks,

    Álex
     
  2. koalillo

    koalillo New Member

    Joined:
    Nov 1, 2018
    Messages:
    10
    Likes Received:
    0
    OK, solved this:

    1) In /etc/pve/lxc/209.conf

    Code:
    lxc.idmap = u 1284000000 1284000000 200000
    lxc.idmap = g 1284000000 1284000000 200000
    lxc.idmap = u 0 100000 65536
    lxc.idmap = g 0 100000 65536
    
    ; a noop mapping for my FreeIPA uid/gid range and the "standard one"

    2)

    Code:
    $ cat /etc/subuid 
    root:100000:65536
    root:1284000000:200000
    
    Code:
    $ cat /etc/subgid
    root:100000:65536
    root:1284000000:200000
    
    allow root to use the FreeIPA range for containers
     
    #2 koalillo, Dec 8, 2018
    Last edited: Feb 14, 2019
  3. el_pedr0

    el_pedr0 New Member

    Joined:
    Aug 5, 2016
    Messages:
    4
    Likes Received:
    0
    Hi @koalillo I think I'm trying to achieve what you've done. Just a bit confused. Did you configure the <VMID>.conf file and subuid subgid to keep the original ranges too? i.e. 0 100000 65536?

    Why not simply remove those and keep your new ranges?
     
  4. el_pedr0

    el_pedr0 New Member

    Joined:
    Aug 5, 2016
    Messages:
    4
    Likes Received:
    0
    OK. I think I'm starting to getting my head around this. Just in case anyone else comes across this in the same state of confusion that I was in, here are the notes I wrote to myself:

    I install FreeIPA on an unprivileged container. Unprivileged containers translate the uids and gids on the container to a different range on the host. This is useful for security because the root on the container with uid=0 is mapped to an arbitrarily high uid on the host (typically 100000) which has no special permissions on the host. So even if the container’s root user were able to escape the container, they’d only find themselves in the host with a uid of 100000 and with the permissions of a nobody user.

    However, this presents 2 problems for FreeIPA. Firstly, in the default set up, the container is given only uids in the range 0-65536. But FreeIPA tends to assign uids much higher than that.

    Secondly, the uids in the container are mapped to a different set of ids in the host, which I think causes logging into the container as a FreeIPA user to fail (maybe because the uid on the host will not match the uid of the FreeIPA server), and also might cause problems when trying to access shared resources such as files.

    The default range of uid/gids that are passed to the container are defined on the host in the files: /etc/subuid and /etc/subgid in the format:
    root:100000:65536

    which means map the first 65536 uids on the container to the uids starting from 100000 on the host. I.e. root uid = 0 on the container is assigned to 100000 on the host and so on sequentially up to container uid 65536 being assigned to 165536 on the host.

    It is not sufficient just to widen this range to include the FreeIPA range because a FreeIPA user’s uid on the container will still be translated to that uid+100000 on the host, whereas we want the FreeIPA uids to be assigned to the same number on the host.

    So we need to define two ranges: one where the system IDs (e.g. root uid 0) of the container can be mapped to an arbitrary range on the host for security reasons, and another where the FreeIPA uids of the container can be mapped to the same uids on the host. That's why we have two lines in the /etc/subuid and /etc/subgid files:
    Code:
    root:100000:65536
    root:1284000000:200000
    
    In addition we need to map them because we don’t want the uids to be assigned sequentially like they would have been in the default configuration (e.g. container id 10 mapped to host id 100010) because then the FreeIPA ids would still be translated.
    So we need to map the lower uids & gids to the arbitrary range on the host and the FreeIPA ones to the same FreeIPA range on the host in /etc/pve/lxc/209.conf

    Code:
    lxc.idmap = u 1284000000 1284000000 200000 
    lxc.idmap = g 1284000000 1284000000 200000 
    lxc.idmap = u 0 100000 65536 
    lxc.idmap = g 0 100000 65536
    
    Four values are provided on each line. First a character, either 'u', or 'g', to specify whether user or group ids are being mapped. Next is the first userid as seen in the user namespace of the container. Next is the userid as seen on the host. Finally, a range indicating the number of consecutive ids to map.

    Note that we’re mapping the low IDs to an offset range in the host, but the high ids are being mapped to the same range on the host.
     
  5. koalillo

    koalillo New Member

    Joined:
    Nov 1, 2018
    Messages:
    10
    Likes Received:
    0
    Yeah, sorry, I saw your first message but I was busy and I could not reply- the original post was misformatted and unclear- hope you didn't waste too much time figuring it out.

    In the end, I've went back to privileged containers as Docker doesn't work so well for me under LXC, so I'm running it on VMs.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice