Can I ask an uid range not to be mapped in an unprivileged container

koalillo

New Member
Nov 1, 2018
11
0
1
39
Hi,

I'm running FreeIPA and I would like to use unprivileged containers so I can use Docker in containers.

My Proxmox host is joined to IPA, and my containers too. My FreeIPA install uses 1284000000-1284200000 for uids and gids. This breaks with:

$ cat /etc/subuid
root:100000:65536
$ cat /etc/subgid
root:100000:65536

as the FreeIPA uids/gids break that. Is there a way to ask for the FreeIPA uid/gid ranges *NOT* to be mapped? My uids/gids match between my host and my containers, so it's not really a security problem for me.

Thanks,

Álex
 

koalillo

New Member
Nov 1, 2018
11
0
1
39
OK, solved this:

1) In /etc/pve/lxc/209.conf

Code:
lxc.idmap = u 1284000000 1284000000 200000
lxc.idmap = g 1284000000 1284000000 200000
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
; a noop mapping for my FreeIPA uid/gid range and the "standard one"

2)

Code:
$ cat /etc/subuid 
root:100000:65536
root:1284000000:200000
Code:
$ cat /etc/subgid
root:100000:65536
root:1284000000:200000
allow root to use the FreeIPA range for containers
 
Last edited:

el_pedr0

New Member
Aug 5, 2016
4
0
1
42
Hi @koalillo I think I'm trying to achieve what you've done. Just a bit confused. Did you configure the <VMID>.conf file and subuid subgid to keep the original ranges too? i.e. 0 100000 65536?

Why not simply remove those and keep your new ranges?
 

el_pedr0

New Member
Aug 5, 2016
4
0
1
42
OK. I think I'm starting to getting my head around this. Just in case anyone else comes across this in the same state of confusion that I was in, here are the notes I wrote to myself:

I install FreeIPA on an unprivileged container. Unprivileged containers translate the uids and gids on the container to a different range on the host. This is useful for security because the root on the container with uid=0 is mapped to an arbitrarily high uid on the host (typically 100000) which has no special permissions on the host. So even if the container’s root user were able to escape the container, they’d only find themselves in the host with a uid of 100000 and with the permissions of a nobody user.

However, this presents 2 problems for FreeIPA. Firstly, in the default set up, the container is given only uids in the range 0-65536. But FreeIPA tends to assign uids much higher than that.

Secondly, the uids in the container are mapped to a different set of ids in the host, which I think causes logging into the container as a FreeIPA user to fail (maybe because the uid on the host will not match the uid of the FreeIPA server), and also might cause problems when trying to access shared resources such as files.

The default range of uid/gids that are passed to the container are defined on the host in the files: /etc/subuid and /etc/subgid in the format:
root:100000:65536

which means map the first 65536 uids on the container to the uids starting from 100000 on the host. I.e. root uid = 0 on the container is assigned to 100000 on the host and so on sequentially up to container uid 65536 being assigned to 165536 on the host.

It is not sufficient just to widen this range to include the FreeIPA range because a FreeIPA user’s uid on the container will still be translated to that uid+100000 on the host, whereas we want the FreeIPA uids to be assigned to the same number on the host.

So we need to define two ranges: one where the system IDs (e.g. root uid 0) of the container can be mapped to an arbitrary range on the host for security reasons, and another where the FreeIPA uids of the container can be mapped to the same uids on the host. That's why we have two lines in the /etc/subuid and /etc/subgid files:
Code:
root:100000:65536
root:1284000000:200000
In addition we need to map them because we don’t want the uids to be assigned sequentially like they would have been in the default configuration (e.g. container id 10 mapped to host id 100010) because then the FreeIPA ids would still be translated.
So we need to map the lower uids & gids to the arbitrary range on the host and the FreeIPA ones to the same FreeIPA range on the host in /etc/pve/lxc/209.conf

Code:
lxc.idmap = u 1284000000 1284000000 200000 
lxc.idmap = g 1284000000 1284000000 200000 
lxc.idmap = u 0 100000 65536 
lxc.idmap = g 0 100000 65536
Four values are provided on each line. First a character, either 'u', or 'g', to specify whether user or group ids are being mapped. Next is the first userid as seen in the user namespace of the container. Next is the userid as seen on the host. Finally, a range indicating the number of consecutive ids to map.

Note that we’re mapping the low IDs to an offset range in the host, but the high ids are being mapped to the same range on the host.
 

koalillo

New Member
Nov 1, 2018
11
0
1
39
Yeah, sorry, I saw your first message but I was busy and I could not reply- the original post was misformatted and unclear- hope you didn't waste too much time figuring it out.

In the end, I've went back to privileged containers as Docker doesn't work so well for me under LXC, so I'm running it on VMs.
 

elles

New Member
Oct 15, 2019
2
0
1
53
I am struggling with a similar problem which I posted HERE Except my range is immediately past 65536 which is used by Synology added user groups (GID). For example:

User UID 1107
Group GID 65607


I am struggling with GID 65607. Any help would be really appreciated.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!