Problems getting idmap working

I

Ian Petts

Member
May 21, 2019
1
0
21
Canberra, AU
I've been tearing my hair out for days trying to get ID mapping working and would really appreciate some help.

I'm running PVE v6.2-12. I have an NFS share on my NAS that I can access and write to just fine from the PVE host. The user and group IDs needed for this share are 1026:100.

Inside the container, my user ID and group are both 1000, so I want to map UID 1000 in the container to 1026 on the host and GID 1000 in the container to GID 100 on the host.

I must have tried 100 different variations on the below, but I just can't seem to get it to work.

The container config is:
arch: amd64
cores: 1
hostname: ufct01
memory: 512
mp0: /mnt/pve/media,mp=/var/media
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.1.1,hwaddr=xx:xx:xx:xx:xx:xx,ip=192.168.1.50/24,ip6=dhcp,type=veth
onboot: 0
ostype: ubuntu
protection: 1
rootfs: local-lvm:vm-100-disk-0,size=32G
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 1026
lxc.idmap: g 0 100000 100
lxc.idmap: u 1000 1026 1
lxc.idmap: g 1000 100 1
lxc.idmap: u 1027 101027 64509
lxc.idmap: g 101 100101 65435

The subuid file is:
root:100000:65536
root:1026:1

The subgid file is:
root:100000:65536
root:100:1

When I attempt to start the container with lxc-start -n 100 -F -l DEBUG -o /tmp/lxc-100.log, I get the following errors:

root@pve:~# grep ERR /tmp/lxc-100.log
lxc-start 100 20200930092717.827 ERROR conf - conf.c:lxc_map_ids:2816 - newuidmap failed to write mapping "newuidmap: write to uid_map failed: Invalid argument": newuidmap 16980 0 100000 1026 1000 1026 1 1027 101027 64509
lxc-start 100 20200930092717.827 ERROR start - start.c:lxc_spawn:1683 - Failed to set up id mapping.
lxc-start 100 20200930092717.828 ERROR start - start.c:__lxc_start:1950 - Failed to spawn container "100"
lxc-start 100 20200930092719.504 ERROR lxc_start - tools/lxc_start.c:main:308 - The container failed to start
lxc-start 100 20200930092719.504 ERROR lxc_start - tools/lxc_start.c:main:314 - Additional information can be obtained by setting the --logfile and --logpriority options

Trying variations on this config I have from time to time been able to get the container to boot, but as yet I have been unable to write to the NFS share from inside the container.

What am I doing wrong?
 
thats funny followed the official instructions from proxmox support (here) exactly the same problem!
You must also have a Synology NAS and trying to connect via NFS.
Sorry I can't be any more help will post if I get it resolved.
 
Ian Petts said:
lxc.idmap: u 0 100000 1026
lxc.idmap: u 1000 1026 1
lxc.idmap: u 1027 101027 64509
Click to expand...
It looks to me that you are trying to map user 1000 to 1026 but you start with mapping 0-1025 to 10000-101025; that has illegal overlap.
Maybe try this for the user mapping:
lxc.idmap: u 0 100000 1000 lxc.idmap: u 1000 1026 1 lxc.idmap: u 1001 101001 64535
And do something similar for the group mapping:
lxc.idmap: g 0 100000 1000 lxc.idmap: g 1000 100 1 lxc.idmap: g 1001 101001 64535
 
thanks for the response, was trying to map root 0:0 (Debian 11 container) to 1026:100 (NAS).

I am guessing root 0:0: can not be mapped?

Used this UID/GID tool but it doesn't support 0:0 for good reason I guess.

lxc.idmap: u 0 100000 1026
lxc.idmap: g 0 100000 100
lxc.idmap: u 1026 1026 1
lxc.idmap: g 100 100 1
lxc.idmap: u 1027 101027 64509
lxc.idmap: g 101 100101 65435


For other newbs trying this. you can supposedly use LDAP (NAS server/container client) but getting them to sync is another project in it self. PVE works fine with LDAP.

So for now I used the workaround and created the same account on the container:

Bash: 
groupadd -g 100 yournewgroupname
Bash: 
useradd -m -d /home/yournewuser -u 1026 -g 100 yournewuser

For anyone looking to mount bind containers to host to Synology NAS this is what worked for me:

https://forum.proxmox.com/threads/bind-mounting-read-only-in-lxc-container.117205/#post-507181
 
Last edited:
leesteken said:
I guess that would be:
lxc.idmap: u 0 1026 1 lxc.idmap: u 1 100001 65535 lxc.idmap: g 0 100 1 lxc.idmap: g 1 100001 65535
Click to expand...
I could get it to work but no write permissions even with the same GID.UIDs over NFS with an unprivileged container.
thanks again for your help.
 
You must log in or register to reply here.
Top Bottom