How do I map multiple uids and gids to unprivileged LXC containers?

L

leonheartx1988

Member
Feb 22, 2022
3
0
6
36
Hello!

I am new to Proxmox and I cannot understand the mapping wiki found here
Additionally I tried using the LXC ID Mapper tool and I was getting errors such as that XX ID is already mapped.

I am trying to map the following

[PROXMOX HOST]
/etc/groups
Code: 
marios:x:1000:
video:x:44:root
render:x:104:root
/etc/passwd
Code: 
marios:x:1000:1000::/home/marios:/bin/sh

[LXC Container]
/etc/groups
Code: 
render:x:993:
video:x:44:
marios:x:1000:

/etc/passwd
Code: 
marios:x:1000:1000::/home/marios:/bin/sh

The tool generates the following:
1. Add to /etc/pve/lxc/%id%.conf:
Code: 
lxc.idmap: u 0 100000 44
lxc.idmap: g 0 100000 44
lxc.idmap: u 44 44 1
lxc.idmap: g 44 44 1
lxc.idmap: u 45 100045 60
lxc.idmap: g 45 100045 60
lxc.idmap: u 104 993 1
lxc.idmap: g 104 993 1
lxc.idmap: u 105 100105 896
lxc.idmap: g 105 100105 896
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 101001 64535
lxc.idmap: g 1001 101001 64535

2. Add to /etc/subuid:
Code: 
root:44:1
root:993:1
root:1000:1

3. Add to /etc/subgid:
Code: 
root:44:1
root:993:1
root:1000:1


After adding those entries, I get the following error:
Code: 
lxc.idmap: invalid map entry 'u 104 993 1': container uid 104 is also mapped by entry 'u 45 100045 60'
lxc_map_ids: 245 newuidmap failed to write mapping "newuidmap: uid range [44-45) -> [44-45) not allowed": newuidmap 135252 0 100000 44 44 44 1 45 100045 60 104 993 1 105 100105 896 1000 1000 1 1001 101001 64535
lxc_spawn: 1795 Failed to set up id mapping.
__lxc_start: 2114 Failed to spawn container "210"
TASK ERROR: startup for container '210' failed

Can someone explain to me how can I map the user and the above groups I mention and give me examples?


EDIT:
I believe, I figured it out, here's what I have added and how I have understood it

First I had to distinguish my needs, my goal was to add 1 user: marios and 2 groups: video, render
The acronym which are used in a entry are u for user and g for groups

lxc.idmap: u 0 100000 1000 => Map the user range from 0 to 1000 and throw them out (yes that's how I understand it)
lxc.idmap: u 1000 1000 1 => Map and pick the user with id 1000[HOST]:1000[LXC]
lxc.idmap: u 1001 101001 64535 => Throw the rest of the users after 1001, the number 64535 is determined by 65536 - 1001 = 64535
lxc.idmap: g 0 100000 44 => Map the group range from 0 to 44 and throw them out
lxc.idmap: g 44 44 1 => Map and pick the group with id 44[HOST]:44[LXC]
lxc.idmap: g 45 100045 59 => Map the group range from 45 to 45+59=104 and throw them out
lxc.idmap: g 104 993 1 => Map and pick the group with id 104[HOST]:993[LXC]
lxc.idmap: g 105 100105 895 => Map the group range from 105 to 105+895 =1000 and throw them out
lxc.idmap: g 1000 1000 1 => Map and pick the group with id 1000[HOST]:1000[LXC]
lxc.idmap: g 1001 101001 64535 => Throw the rest of the groups after 1001

Code: 
lxc.idmap: u 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: u 1001 101001 64535
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 59
lxc.idmap: g 104 993 1
lxc.idmap: g 105 100105 895
lxc.idmap: g 1000 1000 1
lxc.idmap: g 1001 101001 64535

Concerns:
Here are my subuid and subgid files

/etc/subuid
Code: 
root:100000:65536
marios:165536:65536
root:1000:1

/etc/subgid
Code: 
root:100000:65536
root:44:1
root:104:1
root:993:1
root:1000:1

Concern 1:
Shouldn't I be using excplicit entries such as marios:1000:1 since I have created the same profile on my host machine?


At the end of the wiki page, it says:
As a final step, remember to change to owner of the bind mount point directory on the host, to match the uid and gid that were made accessible to the container:

chown -R 1005:1005 /mnt/bindmounts/shared
Click to expand...
And now I cannot understand that.
I want to share my graphics card /dev/renderD128 which belongs to root:render

[PROXMOX HOST]
ls -la /dev/dri/renderD128
Code: 
crw-rw---- 1 root render 226, 128 Aug 17 13:26 /dev/dri/renderD128

So I believe, I shouldn't be changing that
However, on LXC I see it belongs nobody:nogroup

[LXC]
ls -la /dev/dri/renderD128
Code: 
crw-rw---- 1 nobody nogroup 226, 128 Aug 17 10:26 /dev/dri/renderD128

If I go back to the host machine, and I do:
Code: 
chown -R root:render /dev/dri/renderD128

Then I see on the LXC Container that it belongs to root:render

Concern 2:
Is that a safe practice?
Is there any other alternative without changing ownership of files/folders/etc?
 
Last edited:
Is your goal to make UID 1000, GID 1000, and GID 44 accessible in the container, while mapping GID 104 on the host to GID 993 in the container? If so, here’s how you can proceed:

leonheartx1988 said:
Shouldn't I be using excplicit entries such as marios:1000:1 since I have created the same profile on my host machine?
Click to expand...
The subordinate UID should be assigned to root, which is the user creating the container.

leonheartx1988 said:
/etc/subgid
Code: 
root:100000:65536
root:44:1
root:104:1
root:993:1
root:1000:1
Click to expand...
/etc/subgid should be:
Code: 
root:100000:65536
root:44:1
root:104:1
root:1000:1

Also if you would like to pass a device like /dev/dri/renderD128 through to a container, you can add it via the Web UI.
Select the container -> Resources -> Add -> Device Passthrough.
 
Last edited:
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back