[SOLVED] LXC ID Mapping issue

[Sidiox]

First off let me say I'm quite new to Proxmox and LXC, so my apologies if I've made particularly noobish mistakes.

I've been trying to an LXC container with a folder from the host mounted. In order to do this I needed some LXC ID mapping so I'd get the proper permissions inside of the folder.
I followed https://pve.proxmox.com/wiki/Unprivileged_LXC_containers#Using_local_directory_bind_mount_points as well as several other posts over the internet.
No matter how I did the mapping I kept getting "invalid idmapping" when doing lxc-start.

Now, I decided to check /var/lib/lxc/110/config and noticed two things.
My changes to the /etc/pve/lxc/#.conf file only got propagated tot the /var/lib/lxc/#/config if I started the container through the webgui. This might be by design, I don't know.

But more notably, the conflict seemed to stem from the already present lxc.idmap in the /var/lib/lxc config file. Now, from what I understand Proxmox maps by default to the 100000 range, which is what those lines did.
However, since my mapping was different and conflicted with the already present the container failed to launch.

Once I commented out the conflicting lines in the /var/lib/lxc config file the container launched. (I still don't have my ID mapping working how I want it, but that is an ACL issue that I haven't resolved yet)
However, the commented out lines keep resetting themselves, some I reckon this is not the proper solution

I've googled a bit but found no one with a similar issue, so maybe this is a bug that was recently introduced? Or maybe I'm just doing something wrong.

The exact error:

lxc-start: 110: conf.c: lxc_map_ids: 2736 newuidmap failed to write mapping "newuidmap: write to uid_map failed: Invalid argument": newuidmap 13964 0 100000 65536 0 100000 1000 1000 1004 1 1001 101001 63535lxc-start: 110: start.c: lxc_spawn: 1276 Failed to set up id mapping.

The /var/lib config (with the commented out conflicting lines)

lxc.arch = amd64
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.monitor.unshare = 1
#lxc.idmap = u 0 100000 65536
#lxc.idmap = g 0 100000 65536
lxc.tty.max = 2
lxc.environment = TERM=linux
lxc.uts.name = emby
lxc.cgroup.memory.limit_in_bytes = 2147483648
lxc.cgroup.memory.memsw.limit_in_bytes = 2684354560
lxc.cgroup.cpu.shares = 1024
lxc.rootfs.path = /var/lib/lxc/110/rootfs
lxc.net.0.type = veth
lxc.net.0.veth.pair = veth110i0
lxc.net.0.hwaddr = EA:2B:CC:7D:A1:AB
lxc.net.0.name = eth0
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1004 1
lxc.id_map = g 1000 1004 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
lxc.cgroup.cpuset.cpus = 0,2-3

And for completeness sake, my pveversion -v output

proxmox-ve: 5.1-38 (running kernel: 4.13.13-5-pve)
pve-manager: 5.1-43 (running version: 5.1-43/bdb08029)
pve-kernel-4.13.13-4-pve: 4.13.13-35
pve-kernel-4.13.13-2-pve: 4.13.13-33
pve-kernel-4.13.13-5-pve: 4.13.13-38
pve-kernel-4.13.13-3-pve: 4.13.13-34
libpve-http-server-perl: 2.0-8
lvm2: 2.02.168-pve6
corosync: 2.4.2-pve3
libqb0: 1.0.1-1
pve-cluster: 5.0-19
qemu-server: 5.0-20
pve-firmware: 2.0-3
libpve-common-perl: 5.0-25
libpve-guest-common-perl: 2.0-14
libpve-access-control: 5.0-7
libpve-storage-perl: 5.0-17
pve-libspice-server1: 0.12.8-3
vncterm: 1.5-3
pve-docs: 5.1-16
pve-qemu-kvm: 2.9.1-6
pve-container: 2.0-18
pve-firewall: 3.0-5
pve-ha-manager: 2.0-4
ksm-control-daemon: 1.2-2
glusterfs-client: 3.8.8-1
lxc-pve: 2.1.1-2
lxcfs: 2.0.8-1
criu: 2.11.1-1~bpo90
novnc-pve: 0.6-4
smartmontools: 6.5+svn4324-1
zfsutils-linux: 0.7.4-pve2~bpo9

 

[wbumiller]

My changes to the /etc/pve/lxc/#.conf file only got propagated tot the /var/lib/lxc/#/config if I started the container through the webgui. This might be by design, I don't know.

PVE assumes that /var/lib/lxc/$vmid is left untouched. Starting/restarting via the API/CLI/GUI will rewrite the config. You can, however, write (most) lxc config keys into /etc/pve/lxc/*.conf, including `lxc.idmap` lines.

 

[Sidiox]

PVE assumes that /var/lib/lxc/$vmid is left untouched. Starting/restarting via the API/CLI/GUI will rewrite the config. You can, however, write (most) lxc config keys into /etc/pve/lxc/*.conf, including `lxc.idmap` lines.

That makes sense yes. However, then I am stuck with those conflicting Proxmox lxc.idmap lines that conflict with my own lxc.id_map lines in the /etc/pve config file. Is there any difference between using lxc.idmap and lxc.id_map?

 

[Sidiox]

Okay, I've found the solution I think.

The key problem lies in the fact that lxc.idmap and lxc.id_map are not the same.
When specifying lxc.id_map in the /etc/pve config file, the lxc.idmap stays present in the /var/lib config file, with merely the lxc.id_map lines appended.
Both syntaxes work, but conflict.
The solution simply is to use lxc.idmap in the /etc/pve config file as well. This makes it so that the Proxmox default lines in the /var/lib/lxc config file get removed and only the intended lines remain. Quite a silly bug I'd say.

 

[wbumiller]

lxc renamed `id_map` to `idmap`, the former is supported by lxc for backward compatibility. PVE should translate id_map to idmap but it may get confused in some situations apparently