[SOLVED] Converting unprivileged LXC with custom user remapping to privileged LXC

Dunuin

Distinguished Member
Jun 30, 2020
14,795
4,653
258
Germany
Hi,

I got a unprivileged LXC where I modified the hosts subuid/subgid files with "root:1100:4". The LXCs config got:
Code:
lxc.idmap: u 0 100000 1103
lxc.idmap: g 0 100000 1103
lxc.idmap: u 1103 1103 1
lxc.idmap: g 1103 1103 1
lxc.idmap: u 1104 101104 64432
lxc.idmap: g 1104 101104 64432

I needed that user/group remapping because I had to bind-mount an SMB share (owned by UID/GID 1103) from the host to the unprivileged LXC.

Now I wanted to convert that unprivileged LXC into a privileged one so I could enable the LXCs SMB feature to be able to directly mount the SMB share inside the LXC. The LXC is only locally available, so security isn't that of a big concern and I would prefer a privileged LXC. Hence, it makes it easier to move the LXC between my PVE nodes (so I don't have to edit the hosts subuid/subgid files each time I want to migrate it).

Problem is now that I don't know how to do it.
As far as I understand, the way to go would be backup that unprivileged LXC and restore it as a privileged LXC. I can only back it up while subuid/subgid files are modified and LXCs config file is modiefied with "lxc.idmap" because otherwise the LXC won't be able to start. But when I then backup that unprivileged LXC and restore it as privileged, that LXC can't be started because subuid/subgid/LXC config file are still setup to use modified user remapping. I can then revert subuid/subgid files to default and remove the "lxc.idmap" lines from the LXCs config file. Then the privileged LXC will start but when logging in into the console from webUI (ssh won't work anymore) I see that all UIDs/GIDs are wrong. Everyting owned previously by UID 0 is now owned by UID 100000 and so on. So looks like I would need to chown all files/folder from all UID/GID 100000-165535 to 0-65535. Is PVE supposed to do that when restoring a unprivileged LXC as privileged?

If not, is there a script/command that I can use to chown all UIDs/GIDs to n-100000?

Edit:
Made this script to change all UID/GIDs to n-100000:
Code:
#!/bin/bash

# mount LXCs filesystem on the PVE host, change the following to its mountpoint:
lxcmountpoint="/VMpool/VLT/VM/subvol-126-disk-0/"

# will take some time (hours to months), as it steps 131.070 times through all files/folders
for olduid in {100000..165535}
do
   newuid=$((olduid-100000))
   # change UID - 100000
   chown --from=$olduid -Rhc $newuid $lxcmountpoint
   # change GID - 100000
   chown --from=:$olduid -Rhc :$newuid $lxcmountpoint
   echo "Progress: $olduid/165535"
done
Its now running...will see in a couple of hours if the LXC still works.

Edit:
Doesn't work. After changing all UIDs/GIDs to n-100000 the LXC will start but I can't login anymore:
 
Last edited:
Error when trying to restore the unprivileged LXC as privileged to host with non-edited subuids/subgids:
Code:
recovering backed-up configuration from 'PBS_Manual_MainNAS:backup/ct/126/2022-12-26T16:38:18Z'
restoring 'PBS_Manual_MainNAS:backup/ct/126/2022-12-26T16:38:18Z' now..
lxc 20230105025426.556 ERROR    conf - ../src/lxc/conf.c:lxc_map_ids:3672 - newuidmap failed to write mapping "newuidmap: uid range [1103-1104) -> [1103-1104) not allowed": newuidmap 1391883 0 100000 1103 1103 1103 1 1104 101104 64432
Failed to write id mapping for child process
lxc 20230105025426.558 ERROR    utils - ../src/lxc/utils.c:lxc_drop_groups:1366 - Operation not permitted - Failed to drop supplimentary groups
lxc 20230105025426.558 ERROR    utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1341 - Invalid argument - Failed to switch to gid 0
TASK ERROR: unable to restore CT 999 - command 'lxc-usernsexec -m u:0:100000:1103 -m g:0:100000:1103 -m u:1103:1103:1 -m g:1103:1103:1 -m u:1104:101104:64432 -m g:1104:101104:64432 -- /usr/bin/proxmox-backup-client restore '--crypt-mode=none' ct/126/2022-12-26T16:38:18Z root.pxar /var/lib/lxc/999/rootfs --allow-existing-dirs --repository backup@pbs!BackupPU@192.168.49.8:PBS_DS1 --ns MainCluster/Manual' failed: exit code 1

No error when restoring it as privileged with "/etc/subuid" and "/etc/subgid" containing "root:1103:1":
Code:
recovering backed-up configuration from 'PBS_Manual_MainNAS:backup/ct/126/2022-12-26T16:38:18Z'
restoring 'PBS_Manual_MainNAS:backup/ct/126/2022-12-26T16:38:18Z' now..
Detected container architecture: amd64
merging backed-up and given configuration..
TASK OK
But when then removing the "root:1103:1" from the subuid/subgid and removing the "lxc-idmap" entries from the LXCs config file before doing the first start of the LXC, it will start but with wrong UIDs:
Code:
ls -la /
total 262
drwxr-xr-x   21 100000 100000  22 Jan  5 04:08 .
drwxr-xr-x   21 100000 100000  22 Jan  5 04:08 ..
-rw-------    1 100000 100000  47 Jan  1  1970 .pxarexclude-cli
drwxr-xr-x    2 100000 100000 115 Dec 18 06:51 bin
drwxr-xr-x    2 100000 100000   2 Nov 22  2020 boot
drwxr-xr-x    7 root   root   500 Jan  5 04:08 dev
drwxr-xr-x   90 100000 100000 177 Jan  5 04:08 etc
drwxr-xr-x    3 100000 100000   3 Jul 13  2021 home
drwxr-xr-x   11 100000 100000  12 Nov  5  2021 lib
drwxr-xr-x    2 100000 100000   3 Oct 25 22:36 lib64
drwxr-xr-x    2 100000 100000   2 Dec 11  2020 media
drwxr-xr-x    3 100000 100000   3 Jul 13  2021 mnt
drwxr-xr-x    2 100000 100000   2 Dec 11  2020 opt
dr-xr-xr-x 1027 root   root     0 Jan  5 04:08 proc
drwx------    6 100000 100000  11 Jul 13  2021 root
drwxr-xr-x    9 root   root   320 Jan  5 04:09 run
drwxr-xr-x    2 100000 100000 105 Oct 25 22:36 sbin
drwxr-xr-x    2 100000 100000   2 Dec 11  2020 srv
dr-xr-xr-x   13 root   root     0 Jan  5 04:08 sys
drwxrwxrwt    3 root   root     3 Jan  5 04:08 tmp
drwxr-xr-x   11 100000 100000  11 Nov  5  2021 usr
drwxr-xr-x   11 100000 100000  13 Dec 11  2020 var

# ls -la /home/ydl
total 96
drwxr-xr-x 5 101003 ydl       9 Jul 13  2021 .
drwxr-xr-x 3 100000 100000    3 Jul 13  2021 ..
-rw------- 1 101003 ydl    1384 May  9  2022 .bash_history
-rw-r--r-- 1 101003 ydl     220 Jul 13  2021 .bash_logout
-rw-r--r-- 1 101003 ydl    3526 Jul 13  2021 .bashrc
drwxr-xr-x 4 101003 ydl       4 Jul 13  2021 .cache
drwxr-xr-x 6 101003 ydl       6 Jul 13  2021 .local
-rw-r--r-- 1 101003 ydl     807 Jul 13  2021 .profile
drwxr-xr-x 4 101003 ydl      10 May  9  2022 scripts

When restoring it as unprivileged with lxc.idmap and subuid/subgid in the config files:
Code:
# ls -la /
total 262
drwxr-xr-x   21 root   root     22 Jan  5 04:15 .
drwxr-xr-x   21 root   root     22 Jan  5 04:15 ..
-rw-------    1 root   root     47 Jan  1  1970 .pxarexclude-cli
drwxr-xr-x    2 root   root    115 Dec 18 06:51 bin
drwxr-xr-x    2 root   root      2 Nov 22  2020 boot
drwxr-xr-x    6 root   root    480 Jan  5 04:15 dev
drwxr-xr-x   90 root   root    177 Jan  5 04:15 etc
drwxr-xr-x    3 root   root      3 Jul 13  2021 home
drwxr-xr-x   11 root   root     12 Nov  5  2021 lib
drwxr-xr-x    2 root   root      3 Oct 25 22:36 lib64
drwxr-xr-x    2 root   root      2 Dec 11  2020 media
drwxr-xr-x    3 root   root      3 Jul 13  2021 mnt
drwxr-xr-x    2 root   root      2 Dec 11  2020 opt
dr-xr-xr-x 1070 nobody nogroup   0 Jan  5 04:15 proc
drwx------    6 root   root     11 Jul 13  2021 root
drwxr-xr-x   13 root   root    420 Jan  5 04:15 run
drwxr-xr-x    2 root   root    105 Oct 25 22:36 sbin
drwxr-xr-x    2 root   root      2 Dec 11  2020 srv
dr-xr-xr-x   13 nobody nogroup   0 Jan  5 04:15 sys
drwxrwxrwt    8 root   root      8 Jan  5 04:15 tmp
drwxr-xr-x   11 root   root     11 Nov  5  2021 usr
drwxr-xr-x   11 root   root     13 Dec 11  2020 var

# ls -la /home/ydl
total 96
drwxr-xr-x 5 ydl  ydl     9 Jul 13  2021 .
drwxr-xr-x 3 root root    3 Jul 13  2021 ..
-rw------- 1 ydl  ydl  1384 May  9  2022 .bash_history
-rw-r--r-- 1 ydl  ydl   220 Jul 13  2021 .bash_logout
-rw-r--r-- 1 ydl  ydl  3526 Jul 13  2021 .bashrc
drwxr-xr-x 4 ydl  ydl     4 Jul 13  2021 .cache
drwxr-xr-x 6 ydl  ydl     6 Jul 13  2021 .local
-rw-r--r-- 1 ydl  ydl   807 Jul 13  2021 .profile
drwxr-xr-x 4 ydl  ydl    10 May  9  2022 scripts
 
Last edited:
Still couldn't solve this. But I really need to switch that LXC from unprivileged to privileged because it needs access to a SMB share. Right now with the unprivileged LXC I mount the SMB share on the PVE host when the PVE host boots up and then bind-mount it into the unprivileged LXC. But now I need to move my bare metal NAS to a VM on the same PVE server, so the PVE host couldn't mount the SMB share on boot as the NAS VM wouldn't be running then. So I really need a privileged LXC to be able to mount that SMB share inside the LXC when starting the LXC after the NAS VM has been started too.

Would be great if someone already converted a unprivileged LXC with custom user remapping to a privileged LXC and could share some tips on how to do that.
 
backup
restore into a new ID for testing
pct mount that ID
fixup the owners of all files/dirs in the mountpoint so they look like they would for a privileged container
pct unmount
remove idmap and unprivileged flag from config, start/backup/restore/..

IIRC that should work
 
  • Like
Reactions: Dunuin
So, what I did:
1.) backup the unprivileged LXC with VMID 126 to PBS
2.) restore it from PBS as unprivileged LXC with VMID 10000
3.) removed the bind-mount from the LXC
4.) mount it with:
Code:
root@Enterprise:~# pct mount 10000
mounted CT 10000 in '/var/lib/lxc/10000/rootfs'
There it looks like expected:
Code:
root@Enterprise:~# ls -la /var/lib/lxc/10000/rootfs
total 183
drwxr-xr-x 21 100000 100000  22 Apr 30 06:01 .
drwxr-xr-x  3 root   root     3 May  2 17:05 ..
drwxr-xr-x  2 100000 100000 115 Apr 30 02:19 bin
drwxr-xr-x  2 100000 100000   2 Nov 22  2020 boot
drwxr-xr-x  2 100000 100000   2 Dec 10  2008 dev
drwxr-xr-x 90 100000 100000 177 Apr 30 06:01 etc
drwxr-xr-x  3 100000 100000   3 Jul 13  2021 home
drwxr-xr-x 11 100000 100000  12 Nov  5  2021 lib
drwxr-xr-x  2 100000 100000   3 Apr 30 02:19 lib64
drwxr-xr-x  2 100000 100000   2 Dec 11  2020 media
drwxr-xr-x  3 100000 100000   3 Jul 13  2021 mnt
drwxr-xr-x  2 100000 100000   2 Dec 11  2020 opt
drwxr-xr-x  2 100000 100000   2 Nov 22  2020 proc
-rw-------  1 100000 100000  47 Jan  1  1970 .pxarexclude-cli
drwx------  6 100000 100000  11 Jul 13  2021 root
drwxr-xr-x  3 100000 100000   4 Dec 11  2020 run
drwxr-xr-x  2 100000 100000 105 Apr 30 02:19 sbin
drwxr-xr-x  2 100000 100000   2 Dec 11  2020 srv
drwxr-xr-x  2 100000 100000   2 Nov 22  2020 sys
drwxrwxrwt  2 100000 100000   2 Apr 30 15:54 tmp
drwxr-xr-x 11 100000 100000  11 Nov  5  2021 usr
drwxr-xr-x 11 100000 100000  13 Dec 11  2020 var

5.) Then I used this to change the UIDs/GIDs from 100000-165535 to 0-65535:
Bash:
#!/bin/bash
lxcmntpnt="/var/lib/lxc/10000/rootfs"

find "${lxcmntpnt}" -print0 | while read -d $'\0' path
do
    if [[ "${path}" == ${lxcmntpnt}* ]]; then
        uid=$(stat -c %u "${path}")
        gid=$(stat -c %g "${path}")
        if [ "${uid}" -ge 100000  ]; then
            chown -h $((${uid}-100000)) "${path}"
            echo "Changed UID from '${uid}' to '$((${uid}-100000))' for file '${path}'" >> /tmp/unpriv2privlxc.log
        fi
        if [ "${gid}" -ge 100000  ]; then
            chown -h :$((${gid}-100000)) "${path}"
            echo "Changed GID from '${uid}' to '$((${uid}-100000))' for file '${path}'" >> /tmp/unpriv2privlxc.log
        fi
    else
        echo "Bad path: '${path}'"
    fi
done
This ran and changed every file/folder/symlink inside "/var/lib/lxc/10000/rootfs" except for one file where a "\" is in the filename, so I manually chowned it:
Code:
root@Enterprise:/media# /root/scripts/unpriv2privlxc_2.sh
stat: cannot statx '/var/lib/lxc/10000/rootfs/lib/systemd/system/system-systemdx2dcryptsetup.slice': No such file or directory
stat: cannot statx '/var/lib/lxc/10000/rootfs/lib/systemd/system/system-systemdx2dcryptsetup.slice': No such file or directory
/root/scripts/unpriv2privlxc_2.sh: line 9: [: : integer expression expected
/root/scripts/unpriv2privlxc_2.sh: line 13: [: : integer expression expected

root@Enterprise:/media# chown 0:0 '/var/lib/lxc/10000/rootfs//lib/systemd/system/system-systemd\x2dcryptsetup.slice'

root@Enterprise:/media# ls -la /var/lib/lxc/10000/rootfs/lib/systemd/system/ | grep setup.slice
-rw-r--r--  1 root root  442 Feb  2  2021 system-systemd\x2dcryptsetup.slice

6.) Then I unmounted the LXC: pct unmount 10000
7.) Edited the LXC config file with nano /etc/pve/lxc/10000.conf, remove the lines...
Code:
lxc.idmap: u 0 100000 1103
lxc.idmap: g 0 100000 1103
lxc.idmap: u 1103 1103 1
lxc.idmap: g 1103 1103 1
lxc.idmap: u 1104 101104 64432
lxc.idmap: g 1104 101104 64432
...and changed the line unprivileged: 1 to unprivileged: 0.
8.) started the LXC
Looks like this time it is working.
9.) backed up the privileged LXC with VMID 10000 to PBS
10.) destroyed the unprivileged LXC with VMID 126
11.) restored VMID 10000 from PBS as privileged LXC using VMID 126
 
Last edited:
  • Like
Reactions: fabian

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!