idmap of roots

[earthian]

Hello,

I can't find anywhere how to idmap root in the host with root in a container. I do not have other users at the moment. Root uid and gid is 0 and all example expect some number which makes it confusing.

Can somebody help?

Regards

Here is what I have:

/etc/pve/lxc/101.conf:

arch: amd64
cores: 1
hostname: ssl
memory: 256
mp0: /mnt/certs,mp=/mnt/certs
nameserver: 1.1.1.1
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.0.254,hwaddr=...
onboot: 1
ostype: debian
rootfs: node2-hdd-data-pool:vm-101-disk-0,size=2G
swap: 64
unprivileged: 1
lxc.idmap: u 0 100000 0
lxc.idmap: g 0 100000 0
lxc.idmap: u 0 0 1
lxc.idmap: g 0 0 1
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 65536

==> /etc/subgid <==
root:100000:65536

==> /etc/subuid <==
root:100000:65536

Here is the error I am getting:

lxc_map_ids: 2816 newuidmap failed to write mapping "newuidmap: uid range [0-0) -> [100000-100000) not allowed": newuidmap 5546 0 100000 0 0 0 1 0 100000 65536
lxc_spawn: 1683 Failed to set up id mapping.
__lxc_start: 1950 Failed to spawn container "101"
startup for container '101' failed

 

[oguz]

hi,

how to idmap root in the host with root in a container

why do you want this? this makes it completely unnecessary to have id mapping, because if you map root to root then you might as well just use a privileged container?

 

[earthian]

It is for generation and sharing of SSL certificates (keys need to be 600 permission and root in CT as well as 600 and root in another container, host, server where the storage is used).

Doing it with user would require a lot of work in many containers, servers to change.. maybe that container could be privileged then, but then how do you convert a container to privileged then? I have now:

command: ls -la /

total 84
drwxr-xr-x  22 100000 100000  4096 2021-03-01 13:04 .
drwxr-xr-x  22 100000 100000  4096 2021-03-01 13:04 ..
drwxr-xr-x   2 100000 100000  4096 2020-11-05 14:51 bin
drwxr-xr-x   2 100000 100000  4096 2019-05-13 boot
drwxr-xr-x   6 root   root     480 2021-03-01 13:04 dev
drwxr-xr-x  74 100000 100000  4096 2021-03-01 13:04 etc
drwxr-xr-x   2 100000 100000  4096 2019-05-13 home
drwxr-xr-x  11 100000 100000  4096 2020-06-25 lib
drwxr-xr-x   2 100000 100000  4096 2020-11-05 14:48 lib64
drwx------   2 root   root   16384 2020-11-03 15:26 lost+found
drwxr-xr-x   2 100000 100000  4096 2019-07-08 media
drwxr-xr-x   3 100000 100000  4096 2020-11-05 14:56 mnt
drwxr-xr-x   2 100000 100000  4096 2019-07-08 opt
dr-xr-xr-x 619 root   root       0 2021-03-01 13:04 proc
drwx------   7 100000 100000  4096 2020-11-05 14:57 root
drwxr-xr-x   8 root   root     280 2021-03-01 13:05 run
drwxr-xr-x   2 100000 100000  4096 2020-11-05 14:51 sbin
drwxr-xr-x   2 100000 100000  4096 2019-07-08 srv
dr-xr-xr-x  13 root   root       0 2021-03-01 13:04 sys
drwxrwxrwt   2 root   root    4096 2021-03-01 13:04 tmp
drwxr-xr-x  11 100000 100000  4096 2020-11-05 14:49 usr
drwxr-xr-x  11 100000 100000  4096 2019-07-08 var

 

[oguz]

how do you convert a container to privileged then?

1. stop CT pct stop CTID
2. edit the configuration file, remove the lines

lxc.idmap: u 0 100000 0
lxc.idmap: g 0 100000 0
lxc.idmap: u 0 0 1
lxc.idmap: g 0 0 1
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 65536

(do not touch unprivileged option and do not manually change the value!)

3. check if the container starts normally, if yes then shutdown again to make a backup
4. make a backup of the container (you can do in the GUI)
5. restore backup, while restoring uncheck the 'unprivileged' box

this should restore the container as privileged