[SOLVED] How to use UIDs/GIDs higher than 65535 in CT (LXC)

tuxillo

Renowned Member
Mar 2, 2010
57
6
73
Hi all,

I have an application that requires to use uid/gids starting from 70000 (http://vmm.localdomain.org/) but that seems to be not possible if you use unprivileged CTs.
Is there any way of doing this?

Thanks,
Antonio Huete
 
Yeah, I did and either I'm doing something wrong or it doesn't work because the CT then crashes on startup. I can provide an example if needed.
 
oguz, see below:

Code:
# cat /etc/pve/lxc/103.conf
arch: amd64
cores: 2
hostname: mail1.localhost
idmap: g 1005 1005 1
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=22:91:92:32:7C:41,ip=dhcp,type=veth
ostype: ubuntu
rootfs: local-zfs:subvol-103-disk-0,size=50G
swap: 2048
unprivileged: 0
lxc.idmap = u 65537 165537 34000
lxc.idmap = g 65537 165537 34000

# cat /etc/subuid
root:100000:80000

# cat /etc/subgid
root:100000:80000

The execution:

Code:
# lxc-start -n 103 -F -l DEBUG -o /tmp/lxc-103.log
lxc-start: 103: conf.c: run_buffer: 352 Script exited with status 2
lxc-start: 103: start.c: lxc_init: 897 Failed to run lxc.hook.pre-start for container "103"
lxc-start: 103: start.c: __lxc_start: 2032 Failed to initialize container "103"
Segmentation fault

The debug log:

Code:
lxc-start 103 20200302161906.832 INFO     confile - confile.c:set_config_idmaps:2003 - Read uid map: type u nsid 65537 hostid 165537 range 34000
lxc-start 103 20200302161906.832 INFO     confile - confile.c:set_config_idmaps:2003 - Read uid map: type g nsid 65537 hostid 165537 range 34000
lxc-start 103 20200302161906.833 INFO     lsm - lsm/lsm.c:lsm_init:50 - LSM security driver AppArmor
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "reject_force_umount  # comment this to allow umount -f;  not recommended"
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:975 - Added native rule for arch 0 for reject_force_umount action 0(kill)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741827 for reject_force_umount action 0(kill)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added compat rule for arch 1073741886 for reject_force_umount action 0(kill)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:do_resolve_add_rule:535 - Set seccomp rule to reject force umounts
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:1004 - Added native rule for arch -1073741762 for reject_force_umount action 0(kill)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "[all]"
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "kexec_load errno 1"
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:975 - Added native rule for arch 0 for kexec_load action 327681(errno)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741827 for kexec_load action 327681(errno)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added compat rule for arch 1073741886 for kexec_load action 327681(errno)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:1004 - Added native rule for arch -1073741762 for kexec_load action 327681(errno)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "open_by_handle_at errno 1"
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:975 - Added native rule for arch 0 for open_by_handle_at action 327681(errno)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741827 for open_by_handle_at action 327681(errno)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added compat rule for arch 1073741886 for open_by_handle_at action 327681(errno)
lxc-start 103 20200302161906.833 INFO     seccomp - seccomp.c:parse_config_v2:1004 - Added native rule for arch -1073741762 for open_by_handle_at action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "init_module errno 1"
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:975 - Added native rule for arch 0 for init_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741827 for init_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added compat rule for arch 1073741886 for init_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:1004 - Added native rule for arch -1073741762 for init_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "finit_module errno 1"
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:975 - Added native rule for arch 0 for finit_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741827 for finit_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added compat rule for arch 1073741886 for finit_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:1004 - Added native rule for arch -1073741762 for finit_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "delete_module errno 1"
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:975 - Added native rule for arch 0 for delete_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741827 for delete_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added compat rule for arch 1073741886 for delete_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:1004 - Added native rule for arch -1073741762 for delete_module action 327681(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:789 - Processing "keyctl errno 38"
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:975 - Added native rule for arch 0 for keyctl action 327718(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:984 - Added compat rule for arch 1073741827 for keyctl action 327718(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:994 - Added compat rule for arch 1073741886 for keyctl action 327718(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:1004 - Added native rule for arch -1073741762 for keyctl action 327718(errno)
lxc-start 103 20200302161906.834 INFO     seccomp - seccomp.c:parse_config_v2:1008 - Merging compat seccomp contexts into main context
lxc-start 103 20200302161906.834 INFO     conf - conf.c:run_script_argv:372 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "103", config section "lxc"
lxc-start 103 20200302161907.650 DEBUG    conf - conf.c:run_buffer:340 - Script exec /usr/share/lxc/hooks/lxc-pve-prestart-hook 103 lxc pre-start produced output: vm 103 - unable to parse value of 'idmap' - unknown setting 'idmap'

lxc-start 103 20200302161907.679 DEBUG    conf - conf.c:run_buffer:340 - Script exec /usr/share/lxc/hooks/lxc-pve-prestart-hook 103 lxc pre-start produced output: unable to detect OS distribution

lxc-start 103 20200302161907.691 ERROR    conf - conf.c:run_buffer:352 - Script exited with status 2
lxc-start 103 20200302161907.691 ERROR    start - start.c:lxc_init:897 - Failed to run lxc.hook.pre-start for container "103"
lxc-start 103 20200302161907.691 ERROR    start - start.c:__lxc_start:2032 - Failed to initialize container "103"
 
I've removed the following line from 103.conf

Code:
idmap: g 1005 1005 1

Now in the log file I just get the start failure and not the idmap thing. Also dmesg:

Code:
[370691.726072] lxc-start[3021]: segfault at 50 ip 00007f66035aef8b sp 00007ffea8e81520 error 4 in liblxc.so.1.6.0[7f6603555000+8a000]
[370691.726078] Code: 9b c0 ff ff 4d 85 ff 0f 85 82 02 00 00 66 90 48 8b 73 50 48 8b bb f8 00 00 00 e8 80 78 fa ff 4c 8b 74 24 10 48 89 de 4c 89 f7 <41> ff 56 50 4c 89 f7 48 89 de 41 ff 56 58 48 8b 83 f8 00 00 00 8b
[371008.605984] lxc-start[10813]: segfault at 50 ip 00007f72da6cef8b sp 00007ffc5b4ebca0 error 4 in liblxc.so.1.6.0[7f72da675000+8a000]
[371008.605990] Code: 9b c0 ff ff 4d 85 ff 0f 85 82 02 00 00 66 90 48 8b 73 50 48 8b bb f8 00 00 00 e8 80 78 fa ff 4c 8b 74 24 10 48 89 de 4c 89 f7 <41> ff 56 50 4c 89 f7 48 89 de 41 ff 56 58 48 8b 83 f8 00 00 00 8b
 
A bit more info (not sure how useful it will be):

Code:
(gdb) r -n 103 -F -l DEBUG -o /tmp/lxc-103.log
Starting program: /usr/bin/lxc-start -n 103 -F -l DEBUG -o /tmp/lxc-103.log
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[Detaching after fork from child process 63188]
[Detaching after fork from child process 63190]
lxc-start: 103: conf.c: run_buffer: 352 Script exited with status 2
lxc-start: 103: start.c: lxc_init: 897 Failed to run lxc.hook.pre-start for container "103"
lxc-start: 103: start.c: __lxc_start: 2032 Failed to initialize container "103"

Program received signal SIGSEGV, Segmentation fault.
0x00007ff1dbe16f8b in lxc_fini () from /lib/x86_64-linux-gnu/liblxc.so.1
(gdb) bt
#0  0x00007ff1dbe16f8b in lxc_fini () from /lib/x86_64-linux-gnu/liblxc.so.1
#1  0x00007ff1dbe17ac8 in __lxc_start () from /lib/x86_64-linux-gnu/liblxc.so.1
#2  0x00007ff1dbe19007 in lxc_start () from /lib/x86_64-linux-gnu/liblxc.so.1
#3  0x00007ff1dbe0042f in ?? () from /lib/x86_64-linux-gnu/liblxc.so.1
#4  0x00007ff1dbe00c21 in ?? () from /lib/x86_64-linux-gnu/liblxc.so.1
#5  0x00005569c34044ec in main ()


Not sure where /lib/x86_64-linux-gnu/liblxc.so.1 comes from since dpkg -S says can't find it. I don't know how to get it with debugging symbols.

Let me know if you need more info.
 
i see unprivileged: 0 in your container config.

so this container is privileged.

however it should be unprivileged.

unfortunately you cannot simply edit the file to change this.

make a backup of your container. while restoring it make sure the unprivileged box is checked, so that it restores unprivileged.

hope this helps
 
It was set to unprivileged: 0 because I've been playing around with it. Anyways, I have created a new CT with the following configuration:

Code:
arch: amd64
cores: 1
hostname: test01
memory: 512
net0: name=eth0,bridge=vmbr0,firewall=1,hwaddr=5E:AB:8F:91:FC:02,ip=dhcp,type=veth
ostype: ubuntu
rootfs: local-zfs:subvol-104-disk-0,size=8G
swap: 512
unprivileged: 1

Then I've added:

Code:
lxc.idmap: u 65537 165537 34000
lxc.idmap: g 65537 165537 34000

Same result, it crashes the same way on startup.
 
Hi again,

Having upgraded to pve 6.2, the configuration specified in previous posts fails with a different message but at least does not crash as it did before, there must have been some fix for that I guess.

After some investigation and trying to understand better how the mapping works, I did this:

/etc/pve/lxc/103.conf:

"Starting from the uid 0 (in the container), map to the uids 100000-171000 (in the host). Starting from the gid 0 (in the container), map to the gids 100000-171000 (in the host)."

Code:
lxc.idmap: u 0 100000 71000
lxc.idmap: g 0 100000 71000



/etc/subuid:

"Allow UIDs from 100000 to 180000 in the host"

Code:
root:100000:80000

/etc/subgid:

"Allow GIDs from 100000 to 180000 in the host"

Code:
root:100000:80000

If any of the quoted interpretations of the id mapping above is incorrect, please let me know.

i can now create users UIDs/GIDs in the specified range and use them. Note that before when doing the su - , I got a "invalid argument" error.

Code:
root@debian:~# id testuser
uid=70000(testuser) gid=70000(testuser) groups=70000(testuser)
root@debian:~# su - testuser
$ id
uid=70000(testuser) gid=70000(testuser) groups=70000(testuser)
 
Should I send a change to the wiki to clarify the case where you want to go beyond 65536 UIDs/GIDs?
 
not sure if this is a common use-case. why do you need to many uids mapped? if it's a reasonable solution to a common issue, then by all means we can add it to the wiki
 
yes it seems like an edge case, so it's probably not needed in the wiki.

anyone searching for it will find this thread now though, that's probably enough for a case like this :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!