map uid from debian to LXC

[xokia]

I have a drive that I mount in proxmox
/etc/fstab
/dev/disk/by-partuuid/blah-blah /mnt/pool0 ext4 defaults 0 2

Then I also create a mount point in LXC
mp0: /mnt/pool0,mp=pool0

I have a uid that's different under debian vs the LXC
Lets say I have a user joe with uid=1000 gid=1000 under debian

joe under LXC has uid=998 and gid =998

How do I map the Debian UID and GID to the LXC
I tried to follow the wiki
https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

I came up with
/etc/pve/lxc/100.conf
lxc.idmap = u 1000 998 1
lxc.idmap = g 1000 998 1


/etc/subuid
root:1000:1

then /etc/subgid:
root:1000:1

What did I do wrong here?

 

[leesteken]

I came up with
/etc/pve/lxc/100.conf
lxc.idmap = u 1000 998 1
lxc.idmap = g 1000 998 1

/etc/subuid
root:1000:1

then /etc/subgid:
root:1000:1

What did I do wrong here?

You need to map all 65536 users and groups, not just the one you want to change. Try something like:
lxc.idmap: u 0 100000 1000 lxc.idmap: u 1000 998 1 lxc.idmap: u 1001 101001 64535
And similar for g. Please double check that I'm not off by one.

 

[xokia]

root@HOME-SERVER:~# lxc-start -F -n 100
lxc-start: 100: ../src/lxc/conf.c: lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [998-999) not allowed": newuidmap 30717 0 100000 1000 1000 998 1 1001 101001 64535
lxc-start: 100: ../src/lxc/start.c: lxc_spawn: 1788 Failed to set up id mapping.
lxc-start: 100: ../src/lxc/start.c: __lxc_start: 2107 Failed to spawn container "100"
lxc-start: 100: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: 100: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options


maybe I messed up here it 999 not 998 so this is what I ended up with
lxc.idmap= u 0 100000 999
lxc.idmap= u 999 1000 1
lxc.idmap= u 1000 101000 64536
lxc.idmap= g 0 100000 999
lxc.idmap= g 999 1000 1
lxc.idmap= g 1000 101000 64536

1000 is the debian uid and 999 is the equivalent lxc uid
Do I have the mapping backwards? not clear to me if it should be
lxc.idmap= u 999 1000 1
or
lxc.idmap= u 1000 999 1

 

[leesteken]

root@HOME-SERVER:~# lxc-start -F -n 100
lxc-start: 100: ../src/lxc/conf.c: lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [998-999) not allowed": newuidmap 30717 0 100000 1000 1000 998 1 1001 101001 64535
lxc-start: 100: ../src/lxc/start.c: lxc_spawn: 1788 Failed to set up id mapping.
lxc-start: 100: ../src/lxc/start.c: __lxc_start: 2107 Failed to spawn container "100"
lxc-start: 100: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: 100: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options

Try
root:998:1 root:100000:65536
for /etc/subuid and /etc/subgid.

 

[xokia]

Try
root:998:1 root:100000:65536
for /etc/subuid and /etc/subgid.

tried that I have same issue if I use = instead of : like the wiki shows the LXC starts but........ it then automagically changes the = -> : in the 100.conf file and then next boot the lxc fails to start.

lxc.idmap= u 0 100000 999
lxc.idmap= u 999 1000 1
lxc.idmap= u 1000 101000 64536
lxc.idmap= g 0 100000 999
lxc.idmap= g 999 1000 1
lxc.idmap= g 1000 101000 64536

to

lxc.idmap: u 0 100000 999
lxc.idmap: u 999 1000 1
lxc.idmap: u 1000 101000 64536
lxc.idmap: g 0 100000 999
lxc.idmap: g 999 1000 1
lxc.idmap: g 1000 101000 64536

 

[leesteken]

tried that I have same issue if I use = instead of : like the wiki shows the LXC starts but........ it then automagically changes the = -> : in the 100.conf file and then next boot the lxc fails to start.

The correct syntax is with :. For example this I what I use to map video group to video group, which happen to have the same numeric GID:
lxc.idmap: g 0 100000 44 lxc.idmap: g 44 44 1 lxc.idmap: g 45 100045 65490

lxc.idmap: u 0 100000 999
lxc.idmap: u 999 1000 1
lxc.idmap: u 1000 101000 64536
lxc.idmap: g 0 100000 999
lxc.idmap: g 999 1000 1
lxc.idmap: g 1000 101000 64536

Now you are using different numbers than mapping 1000 to 998. Why? Did you adjust /etc/subuid and /etc/subgid also?
Please share the actual error messages to pin point the cause of the problems.

 

[xokia]

The correct syntax is with :. For example this I what I use to map video group to video group, which happen to have the same numeric GID:
lxc.idmap: g 0 100000 44 lxc.idmap: g 44 44 1 lxc.idmap: g 45 100045 65490

Now you are using different numbers than mapping 1000 to 998. Why? Did you adjust /etc/subuid and /etc/subgid also?
Please share the actual error messages to pin point the cause of the problems.

I figured what you posted was correct although the wiki has = instead of :

I tried to mention its uid 999 in prior post.....uid 998 was a type-o sorry about that

I am trying to map the debian plex uid to the lxc uid.
Currently under debian the owner of some files appears as systemd-timesync instead of plex. Under LXC the owner of some files appears correctly as plex


Debian UIDs


LXC UIDs


here is what i have in the lxc/100.conf

lxc.idmap: u 0 100000 1000
lxc.idmap: u 1000 999 1
lxc.idmap: u 1001 101001 64535
lxc.idmap: g 0 100000 1000
lxc.idmap: g 1000 999 1
lxc.idmap: g 1001 101001 64535
arch: amd64
cores: 8
features: nesting=1
hostname: Plex-Server
memory: 4096
mp0: /mnt/pool0,mp=pool0
mp1: /mnt/pool1,mp=pool1
mp2: /mnt/pool2,mp=pool2
mp3: /mnt/pool3,mp=pool3
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.3.1,hwaddr=62:DB:EA:C3:D0:8E,ip=192.168.3.13/24,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-100-disk-0,size=32G
searchdomain: 192.168.3.1
swap: 512
lxc.cgroup2.devices.allow: c 226:0 rwm
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.cgroup2.devices.allow: c 29:0 rwm
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry: /dev/fb0 dev/fb0 none bind,optional,create=file

I run the following
lxc-start -F -n 100



I can not log into the shell to run systemctl status systemd-sysusers.service

 

[leesteken]

I run the following
lxc-start -F -n 100

I can not log into the shell to run systemctl status systemd-sysusers.service

Use pct enter 100 on the Proxmox host to enter the container as root. I haven't taken the time to look into your new issue in detail.

 

[xokia]

Use pct enter 100 on the Proxmox host to enter the container as root. I haven't taken the time to look into your new issue in detail.

Here is what I ended up doing it seemed easier.

I went into
/etc/passwd -> changed the uid:group in LXC to match debian uid:group
/etc/group -> changed the group # in LXC to match debian group #

within the LXC
chown -R plex.plex '/pool3/plex_files/'
chown -R plex.plex '/pool1/plex_files/'
chown -R plex.plex '/pool2/plex_files/'

now if I access from debian or lxc the file ownership shows up the same

Thank you for your help you are one of the members that seems to try to help folks a lot. Appreciate that!

 

[Schmart]

I have a similar problem and can not figure out what im doing wrong.

My PVE and LXC each have a user share:share with 1005:1005 as uid/gid

to my LXC's config I added:

lxc.idmap: u 0 100000 1005
lxc.idmap: g 0 100000 1005
lxc.idmap: u 1005 1005 1
lxc.idmap: g 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 1006 101006 64530

And upon rebooting my LXC I get following errors:

lxc-start: 101: ../src/lxc/conf.c: lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [1005-1006) -> [1005-1006) not allowed": newuidmap 3554 0 100000 1005 1005 1005 1 1006 101006 64530
lxc-start: 101: ../src/lxc/start.c: lxc_spawn: 1788 Failed to set up id mapping.
lxc-start: 101: ../src/lxc/start.c: __lxc_start: 2107 Failed to spawn container "101"
lxc-start: 101: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: 101: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority options

Here is my LXC's config:

arch: amd64
cmode: shell
cores: 2
features: nesting=1
hostname: smb-share
memory: 512
mp0: /tank/movies,mp=/mnt/movies
mp1: /tank/downloads,mp=/mnt/downloads
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.178.1,hwaddr=16:9B:B7:A7:77:9E,ip=192.168.178.61/24,ip6=dhcp,type=veth
onboot: 1
ostype: debian
rootfs: local-lvm:vm-101-disk-0,size=8G
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 1005
lxc.idmap: g 0 100000 1005
lxc.idmap: u 1005 1005 1
lxc.idmap: g 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 1006 101006 64530

Inside the LXC I added

root:1005:1

to both /etc/subuid and /etc/subgid

On PVE I also changed permissions for the folder that is to be shared to:

drwxrwxr-x 8 share share 8 Jun 20 20:16 movies

Please help.