[SOLVED] Cat get any gid mapping to work

[psyko_chewbacca]

Hi,

I'm trying to map a few groups ID in unprivileged containers. As much as I try, my container will not start.
I'm trying to map group 44 on host to group 44 in a container.

Error message when trying to start the container:

explicitly configured lxc.apparmor.profile overrides the following settings: features:nesting
lxc_map_ids: 3701 newgidmap failed to write mapping "newgidmap: gid range [44-45) -> [44-45) not allowed": newgidmap 220820 0 100000 44 44 44 1 45 100045 65491
lxc_spawn: 1788 Failed to set up id mapping.
__lxc_start: 2107 Failed to spawn container "304"
TASK ERROR: startup for container '304' failed

Content of file /etc/subgid (yeah I know there's more than needed here but the most important is there)

root@pve-server:~# cat /etc/subgid
root:100000:65536
root:104:1
root:108:1  # render group map
root:44:1   # video group map
root:20:1   # dialout group map
root:999:1
root:100:1
root:0:1

CT config:

arch: amd64
cores: 1
features: nesting=1
hostname: test
memory: 512
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.0.3,hwaddr=BC:24:11:79:B8:27,ip=192.168.1.252/23,type=veth
ostype: debian
rootfs: ssd1tb:vm-304-disk-0,size=8G
swap: 512
unprivileged: 1
lxc.apparmor.profile: unconfined
lxc.mount.auto: cgroup:rw
lxc.cgroup2.devices.allow: a
lxc.cgroup2.devices.allow: c 29:0 rwm
lxc.cgroup2.devices.allow: c 120:* rwm
lxc.cgroup2.devices.allow: c 189:* rwm
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file 0, 0
lxc.mount.entry: /dev/dri/card0 dev/dri/card0 none bind,optional,create=file 0, 0
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 65491

Finally, here's the output of pveversion

root@pve-server:~# pveversion
pve-manager/8.1.4/ec5affc9e41f1d79 (running kernel: 6.5.11-8-pve)

It would seem root is the user on host running lxc services.

I am clueless as to why I cannot get any sort of gid mapping going on.

Its as if the content of /etc/subgid wasn't taken into account.


Thanks in advance.

 

[fweber]

Content of file /etc/subgid (yeah I know there's more than needed here but the most important is there)

root@pve-server:~# cat /etc/subgid
root:100000:65536
root:104:1
root:108:1  # render group map
root:44:1   # video group map
root:20:1   # dialout group map
root:999:1
root:100:1
root:0:1

I'm not sure # comments are supported in subuid/subgid files. Can you remove them and try again?

 

[psyko_chewbacca]

I'm not sure # comments are supported in subuid/subgid files. Can you remove them and try again?

Ugh... That was it.
So simple of a fix yet I spent hours trying to make it work.
I learned a lot though so there's that!

Thank you very much.

Is there a way to mark thread as "Solved"?

 

[leesteken]

Is there a way to mark thread as "Solved"?

Edit your first post in this thread and select Solved from the pull-down menu.