LXC Unpriviledged container newuidmap not allowed

[Angelone]

Hi all,
I'm running an unpriviledged container that has two users defined: root (uid=0) and docker (uid=1000).
I need to share an NFS folder between the proxmox host and the guest container so I would like to map the proxmox user user2 with uid 1005 in the docker container user with uid 1000.

I've followed the suggestion in this Guide and this is my configuration:

/etc/pve/lxc/101.conf

...
lxc.idmap = u 1005 1000 1
lxc.idmap = g 1006 1000 1

/etc/subuid

root:100000:65536
user1:165536:65536
user2:1005:1

/etc/subgid

root:100000:65536
user1:165536:65536
user2:1006:1

user2 on the proxmox host has uid=1005 and gid=1006

When i try to start the container I got the following error:

lxc-start: 101: ../src/lxc/conf.c: lxc_map_ids: 3672 newuidmap failed to write mapping "newuidmap: uid range [1005-1006) -> [1000-1001) not allowed": newuidmap 3934449 1005 1000 1

Can anyone help me to solve this issue?
Many thanks

 

[fweber]

Hi,

/etc/pve/lxc/101.conf

...
lxc.idmap = u 1005 1000 1
lxc.idmap = g 1006 1000 1

I think the syntax is lxc.idmap = <u/g> <first uid in container> <first uid on host> <number of uids>. So if you want to map uid 1000 in the container to 1005 on the host, it should rather be lxc.idmap = u 1000 1005 1.
Note that you also need to provide a mapping for e.g. uid 0 in the container, and that /etc/subuid and /etc/subgid need to allow root (rather than user2) to impersonate uid 1005 and gid 1006, as the LXC process is started as root. See here and here for some more details.