How to handle unprivileged containers and large UIDs/GIDs?

[Judge]

Hi everyone,

I am facing the issue that our central authentication service (FreeIPA) is using quite large UIDs/GIDs (the range is 1546400000 - 1546600000) and unprivileged containers seem to not be able to deal with this. To make this work, it seems like there are two things necessary to change manually for each Proxmox Host and, what's even more inconvenient, for each container after their creation:

1. On the Host:
   Align /etc/subgid and /etc/subuid to generally allow the ranges on that host.
2. Per Container:
   Add the lxc.idmap values to the container's config file after the container has been created (e.g. /etc/pve/lxc/109.conf).

I am aware of https://pve.proxmox.com/wiki/Unprivileged_LXC_containers and https://forum.proxmox.com/threads/c...be-mapped-in-an-unprivileged-container.49544/ ; but that "only" lead me to the following manual (but working) configuration combination:

On the Proxmox-Host, I changed /etc/subgid and /etc/subuid to both contain this:

root:100000:65536
root:1546400000:200000

The Container config I changed to contain this:

...
ostype: debian
...
unprivileged: 1
lxc.idmap: u 1546400000 1546400000 200000
lxc.idmap: g 1546400000 1546400000 200000
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 65536

Before my changes, I could not even login by SSH using one of those high IDs:

Jul 14 15:16:38 idtestlxc sshd[332]: debug1: restore_uid: 0/0
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: temporarily_use_uid: 65534/65534 (e=0/0)
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: /usr/bin/sss_ssh_authorizedkeys:1: matching key found: RSA SHA256:P+Wm...
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: /usr/bin/sss_ssh_authorizedkeys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Jul 14 15:16:38 idtestlxc sshd[332]: Accepted key RSA SHA256:P+Wm... found at /usr/bin/sss_ssh_authorizedkeys:1
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: restore_uid: 0/0
Jul 14 15:16:38 idtestlxc sshd[332]: Postponed publickey for m.richter from 2a02:... port 57073 ssh2 [preauth]
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: userauth-request for user m.richter service ssh-connection method publickey [preauth]
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: attempt 2 failures 0 [preauth]
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: temporarily_use_uid: 65534/65534 (e=0/0)
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: restore_uid: 0/0
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: temporarily_use_uid: 65534/65534 (e=0/0)
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: /usr/bin/sss_ssh_authorizedkeys:1: matching key found: RSA SHA256:P+Wm...
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: /usr/bin/sss_ssh_authorizedkeys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Jul 14 15:16:38 idtestlxc sshd[332]: Accepted key RSA SHA256:P+Wm... found at /usr/bin/sss_ssh_authorizedkeys:1
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: restore_uid: 0/0
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: auth_activate_options: setting new authentication options
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: do_pam_account: called
Jul 14 15:16:38 idtestlxc sshd[332]: Accepted publickey for m.richter from 2a02:... port 57073 ssh2: RSA SHA256:P+Wm...
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: monitor_child_preauth: m.richter has been authenticated by privileged process
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: auth_activate_options: setting new authentication options [preauth]
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: monitor_read_log: child log fd closed
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: temporarily_use_uid: 1546500000/1546500000 (e=0/0)
Jul 14 15:16:38 idtestlxc sshd[332]: fatal: initgroups: m.richter: Invalid argument
Jul 14 15:16:38 idtestlxc sshd[332]: debug1: do_cleanup

After those changes, it works without issues:

Jul 14 16:27:39 idtestlxc sshd[263]: debug1: restore_uid: 0/0
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: temporarily_use_uid: 65534/65534 (e=0/0)
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: /usr/bin/sss_ssh_authorizedkeys:1: matching key found: RSA SHA256:P+Wm...
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: /usr/bin/sss_ssh_authorizedkeys:1: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Jul 14 16:27:39 idtestlxc sshd[263]: Accepted key RSA SHA256:P+Wm... found at /usr/bin/sss_ssh_authorizedkeys:1
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: restore_uid: 0/0
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: auth_activate_options: setting new authentication options
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: do_pam_account: called
Jul 14 16:27:39 idtestlxc sshd[263]: Accepted publickey for m.richter from 2a02:... port 62995 ssh2: RSA SHA256:P+Wm...
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: monitor_child_preauth: m.richter has been authenticated by privileged process
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: auth_activate_options: setting new authentication options [preauth]
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: monitor_read_log: child log fd closed
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: temporarily_use_uid: 1546500000/1546500000 (e=0/0)
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: restore_uid: 0/0
Jul 14 16:27:39 idtestlxc sshd[263]: debug1: PAM: establishing credentials
Jul 14 16:27:39 idtestlxc sshd[263]: pam_unix(sshd:session): session opened for user m.richter by (uid=0)
Jul 14 16:27:39 idtestlxc sshd[263]: User child is on pid 273
Jul 14 16:27:39 idtestlxc sshd[273]: debug1: SELinux support disabled
Jul 14 16:27:39 idtestlxc sshd[273]: debug1: PAM: establishing credentials
Jul 14 16:27:39 idtestlxc sshd[273]: debug1: permanently_set_uid: 1546500000/1546500000
Jul 14 16:27:39 idtestlxc sshd[273]: debug1: rekey after 134217728 blocks
Jul 14 16:27:39 idtestlxc sshd[273]: debug1: rekey after 134217728 blocks
Jul 14 16:27:39 idtestlxc sshd[273]: debug1: ssh_packet_set_postauth: called
Jul 14 16:27:39 idtestlxc sshd[273]: debug1: active: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding
Jul 14 16:27:39 idtestlxc sshd[273]: debug1: Entering interactive session for SSH2.
...
Jul 14 16:27:39 idtestlxc sshd[273]: debug1: Allocating pty.
...
Jul 14 16:27:39 idtestlxc sshd[273]: Starting session: shell on pts/2 for m.richter from 2a02:... port 62995 id 0
...

So: Generally, I am aware what to do to make this work. But it is a very weird and blocking workflow to create containers first using all of our scripting and deployment stuff, just to stop and do those changes on a shell on the Proxmox-Host after logging in by SSH and continue the deployments only after that ...

Isn't there a better way? My expectation was to just have to increase these values in /etc/subgid and /etc/subuid or similar per Proxmox-Host or be able to set a default for unprivileged containers and be able to use it again "as usual", after that.

Thanks for reading! Looking forward to your suggestions

 

[Gardouille]

Hi !

Did you figure out a solution ?

Cause yeah… it's quite painful to edit lxc config files one by one ^^

I tried to add lxc.idmap content to /usr/share/lxc/config files without any success so far.

 

[Judge]

When you see the amount of replies this has received, you can imagine how much help I received on this so far...
I currently ended up with doing these changes manually, unfortunately.

 

[Gardouille]

ok… testing a small workaround

I mostly (only so far in fact…) use "old" LXC template solution, based on one of the template provided by Proxmox, eg. debian-11-standard_11.0-1_amd64.tar.gz (from http://download.proxmox.com/images/system/).
And i have the same problem: Need to modify /etc/pve/lxc/CT_ID.conf file for each new LXC container.

But… if i use the "new" LXC template solution (it's not very well documented for LXC, but it's quite similar to KVM Templates and Clones − https://pve.proxmox.com/pve-docs/pve-admin-guide.html#qm_copy_and_clone) :

1. Create a new LXC container and update configuration to fit my needs (lxc.idmap, start at boot,…).
2. Turn this LXC container to a template (right click -> "Convert to template"). You can't revert this action !
3. Create a new LXC container by cloning the template (link or full).
4. The new LXC container will inherit LXC configuration from the template (lxc.idmap, nesting,…) !
5. The cloning wizard is minimalist, i need to manually edit MAC address, CPU, RAM,… if i need something different from the template.

And voila !
Ok, it's not perfect. An "Advanced" box in the wizard to directly update CPU, RAM,… would be very welcome

Need deeper tests but it looks promising.

 

[JaySee]

At least for the MAC address, it seems you can simply remove the one specified in the template and a new one will be generated when you clone it. So the line reads something like this:

net0: name=eth0,bridge=vmbr1,ip=dhcp,type=veth

 

[vtex]

I suppose you can also modify the default id ranges in FreeIPA to be less than 65536.

Something to think about when installing FreeIPA server for the first time. After the fact, it is a PITA.