permissions in /home messed after adding some idmap

[vnvu]

Hello,

I'd like to setup unprivileged containers with glusterfs mount in it. The idea is to have 1 ansible controller in each datacenter, so, in case we lost a datacenter connectivity, we still be able to run playbooks from the other datacenter.

So, my lxc.idmap does the job for the bind mount (glusterfs on the host shared to the container with mp0 setting).

But my problem is when the mapping is set, all users homedirs in the containers are set to nobody (65534). That's problematic because we connect to that container using SSH keys.

Here is my /etc/pve/lxc/101.conf :

mp0: /net/glusterfs/192.168.170.5+192.168.160.5:ansible/ansible,mp=/mnt/ansible/ansible
# the UIDs range I need on the glusterfs mount:
lxc.idmap = u 0 100000 1000
# the GID of ansible group on the mount:
lxc.idmap = g 0 100000 200
# map 10 UIDs:
lxc.idmap = u 1000 1000 10
# map 1 GID:
lxc.idmap = g 200 200 1
# the rest:
lxc.idmap = u 1010 101009 64526
lxc.idmap = g 201 100200 65335

and /etc/subuid :

root:100000:65536
foo:165536:65536
bar:231072:65536
baz:296608:65536
prometheus:362144:65536
root:500:1
root:1000:10

How can I fix permissions inside /home/ of my container?

 

[oguz]

hi,

are you still having the problem?

what about your /etc/subgid ? you didn't post that

 

[vnvu]

hi,

are you still having the problem?

what about your /etc/subgid ? you didn't post that

Hello, I didn't paste /etc/subgid because I don't think it's relevant in my case.
But, finally, it may be because I plan to have users groups. If user bob has UID 1010, we will create him according group with GID 1010 and set that group as his primary group.

To answer your last question, I managed to get it working by doing

chown -R /path/to/lxc/container/storage/home/that_user

for every user.

Before that, I didn't realize that UID+100000 was applying at container creation inside container's /home/ path, when the container is created with unprivileged setting.

The documentation at https://pve.proxmox.com/wiki/Unprivileged_LXC_containers says lxc.idmap = u 0 100000 1005 but I noticed that with pct config it is like other settings lxc.idmap: u 0 100000 10005

However, I have no idea how to pass that setting at container creation time, and especially using the API with Ansible's proxmox module.

So, currently, my plan is to create the container with unprivileged setting but without UID/GID mappings, and set them later directly inside the /etc/pve/lxc/xxx.conf file, and others files (/etc/subgid, /etc/subgid) too.

Then, later, doing the chown -R /path/to/lxc/container/subvol-xxx-disk-0/home/foo/ before starting the container.

All that steps make my ansible playbooks a bit more complex than earlier with privileged containers. Since that, we are also considering kvm instead. But we need to be more skilled with cloudinit thingies.

As a record, my needs is :

• general goal: ansible controllers and playbooks always available. Because in case of disaster, we would need to rebuild services
• so, I tried to duplicate my lxc container running ansible, but nowadays it is recommended to use unprivileged containers
• so, with unprivileged containers, I need to set UID/GID mapping with exceptions for our team users because we want that match on the glusterfs share

After all that, I'm not sure anymore all that was worth a try. Since, if I'm right the benefit of unprivileged is to map to unprivileged users on the host. In my case, I set exceptions, so using directly privileged looks like the same. Maybe it is still better with unprivileged, at least for root user that would not be UID 0 on the host...