Mapping single uid/gid to unprivileged LXC container

[johnha]

I'm loathe to post this asking for help because there are already several threads about uid/gid mapping for an unprivileged LXC container (believe me, I've read and re-read them all!), and there's even @DougD's python script to automate the process.. so I feel really dumb... but I've been trying for months and I can't seem to figure out the mapping for my use case with just a single user (root):

Host: root
Debian 10 CT: root

This doesn't work, but it's as close as I've gotten:

# /etc/pve/lxc/100.conf
lxc.idmap = u 0 100000 1
lxc.idmap = g 0 100000 1
lxc.idmap = u 0 0 1
lxc.idmap = g 0 0 1

# /etc/subuid
root:100000:65536
root:0:1

# /etc/subgid
root:100000:65536
root:0:1

If anyone could put me out of my misery I would appreciate it. Thank you so much in advance

 

[Dunuin]

Host: root
Debian 10 CT: root

This doesn't work, but it's as close as I've gotten:

# /etc/pve/lxc/100.conf
lxc.idmap = u 0 100000 1
lxc.idmap = g 0 100000 1
lxc.idmap = u 0 0 1
lxc.idmap = g 0 0 1

That tells Proxmox to map:
UID/GID 0 on host to 100000 on guest
UID/GID 0 on host to 0 on guest

You can't remap the same user twice.
Also there are 65565 UIDs and you don't tell Proxmox what do the other 65564 UIDs/GIDs.

You should try something like:
lxc.idmap = u 0 0 1
lxc.idmap = g 0 0 1
lxc.idmap = u 1 100001 65565
lxc.idmap = g 1 100001 65565

So that mappings look like:
UID/GID 0 on host to 0 on guest
UID/GID 1-65565 on host to 100001-165565 on guest

And mapping root users isn't good for security. Would be better to map a unprivileged user on the guest to a unprivileged user on the host.

 

[johnha]

Thank you very much - I gave it a shot but when trying to start the container, I get:

lxc_map_ids: 2878 newuidmap failed to write mapping "newuidmap: uid range [1-65566) -> [100001-165566) not allowed": newuidmap 20329 0 0 1 1 100001 65565
lxc_spawn: 1726 Failed to set up id mapping.
__lxc_start: 1999 Failed to spawn container "100"
startup for container '100' failed

 

[Dunuin]

Thank you very much - I gave it a shot but when trying to start the container, I get:

lxc_map_ids: 2878 newuidmap failed to write mapping "newuidmap: uid range [1-65566) -> [100001-165566) not allowed": newuidmap 20329 0 0 1 1 100001 65565
lxc_spawn: 1726 Failed to set up id mapping.
__lxc_start: 1999 Failed to spawn container "100"
startup for container '100' failed

Try it with
lxc.idmap = u 0 0 1 lxc.idmap = g 0 0 1 lxc.idmap = u 1 100001 65564 lxc.idmap = g 1 100001 65564

By the way, if you map root to root its the same like privileged LXCs handle rights. So if you have chosen unprivileged LXCs because of better security mapping root isn'T a good idea.
If you don't care about security you can just use privileged LXCs and don't need to do any remapping at all.

 

[johnha]

Try it with
lxc.idmap = u 0 0 1 lxc.idmap = g 0 0 1 lxc.idmap = u 1 100001 65564 lxc.idmap = g 1 100001 65564

By the way, if you map root to root its the same like privileged LXCs handle rights. So if you have chosen unprivileged LXCs because of better security mapping root isn'T a good idea.

Very good point about the reason for unprivileged container use... Thank you. Perhaps I should just give ownership of my mounted disk to user 100000 and call it a day. (At this point, this is just a theoretical exercise to help me better understand mappings. and perhaps some future readers)

(By the way, I did originally try with 65564 and it gave me the same error.)