[SOLVED] lxc increase uid range in unprivileged container

J

jochen.korge

Member
Apr 13, 2021
11
1
8
36
Hi, I´m currently struggling to get a domain joined samba fileserver up and running with lxc.

The issue seems to be the id mapping. The container won´t recognize IDs above 65534 (while the Samba-Mapping is set to 1M-2M)

/etc/pve/lxc/102.conf
Code: 
arch: amd64
cores: 8
features: nesting=1
hostname: sambatest
memory: 8096
mp0: /datapool/testpool1,mp=/srv/,acl=1,backup=1,mountoptions=nodev;noexec;nosuid,replicate=0
net0: name=eth0,bridge=vmbr10,firewall=1,...
ostype: debian
rootfs: production_vms:subvol-102-disk-0,size=8G
swap: 8096
unprivileged: 1
lxc.idmap: u 0 100000 100000 #100k
lxc.idmap: g 0 100000 100000
lxc.idmap: u 1000000 1000000 1000000 #1m
lxc.idmap: g 1000000 1000000 1000000
so I do expect that Container-IDs
0<=x<=100k get mapped on 100k+x
1m<=y<=2m get mapped on y (Host and Container are Domain-Joined, so I should use the same IDs)

/etc/subuid and subgid on PVE Host
Code: 
root:100000:2000000
otheruser1:165536:65536
otheruser2:231072:65536
otheruser3:296608:65536
tests with otherusers in the 2m+ range weren´t successfull either

starting the container in debug mode outputs
Code: 
lxc-start 102 20230117132017.935 INFO     confile - ../src/lxc/confile.c:set_config_idmaps:2267 - Read uid map: type u nsid 0 hostid 100000 range 100000
lxc-start 102 20230117132017.935 INFO     confile - ../src/lxc/confile.c:set_config_idmaps:2267 - Read uid map: type g nsid 0 hostid 100000 range 100000
lxc-start 102 20230117132017.935 INFO     confile - ../src/lxc/confile.c:set_config_idmaps:2267 - Read uid map: type u nsid 1000000 hostid 1000000 range 1000000
lxc-start 102 20230117132017.935 INFO     confile - ../src/lxc/confile.c:set_config_idmaps:2267 - Read uid map: type g nsid 1000000 hostid 1000000 range 1000000

In container:
Bash: 
root@sambatest:~# chown 10000 /srv/test
root@sambatest:~# ls -l /srv/test 
-rw-r--r-- 1 10000 root 0 Jan 16 13:44 /srv/test
root@sambatest:~# chown 100000 /srv/test
chown: changing ownership of '/srv/test': Invalid argument
root@sambatest:~# ls -l /srv/test 
-rw-r--r-- 1 10000 root 0 Jan 16 13:44 /srv/test
root@sambatest:~#

what am I missing?
 
Hi,
jochen.korge said:
so I do expect that Container-IDs
0<=x<=100k get mapped on 100k+x
1m<=y<=2m get mapped on y (Host and Container are Domain-Joined, so I should use the same IDs)
Click to expand...
I think this is not quite right, the range seems to be exclusive (so, should rather be 0 <=x<100k and 1m<=y<2m). According to man lxc.container.conf, lxc.idmap: u 0 100000 100000 says that 100000 container uids starting at 0 should be mapped to host uids starting at 100000. Hence that the last container uid to be mapped is 99999, not 100000. This would also explain the "Invalid argument" error you're seeing. chown 99999 should work. Does this help?
 
Oh, now I feel pretty stupid!
IDs from 0-99.999 and IDs from 1.000.000-1.999.999 are acceptable, IDs from 100.000-999.999 are prohibited.
So it worked for quite some time but I didn´t test via cifs but chown...
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back