Trying to map gid in unprivileged container

[psyko_chewbacca]

I am trying to map the GID of render group from host into lxc container.

I have a really weird error message:

lxc_map_ids: 3701 newgidmap failed to write mapping "newgidmap: gid range [108-109) -> [104-105) not allowed": newgidmap 2700 0 100000 108 108 104 1 109 100109 65427

Here's my config:

## Plex LXC
#  ### https%3A//tteck.github.io/Proxmox/
#  <a href='https%3A//ko-fi.com/D1D7EP4GF'><img src='https%3A//img.shields.io/badge/%E2%98%95-Buy me a coffee-red' /></a>
arch: amd64
cores: 2
features: nesting=1
hostname: plex
memory: 4096
<bunch of biding mounts>
net0: name=eth0,bridge=vmbr0,gw=192.168.0.3,hwaddr=8E:83:32:CD:5D:6F,ip=192.168.0.242/23,type=veth
net1: name=intra0,bridge=vmbr2,hwaddr=AA:28:A1:35:75:4A,ip=192.168.10.242/28,type=veth
onboot: 0
ostype: ubuntu
rootfs: local-lvm:vm-201-disk-0,size=8G
startup: order=2,up=60
swap: 512
tags: proxmox-helper-scripts
unprivileged: 1
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/fb0 dev/fb0 none bind,optional,create=file
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 108
lxc.idmap: g 108 104 1
lxc.idmap: g 109 100109 65427

/etc/subuid

root:100000:65536
root:44:1
root:108:1

/etc/subgid

root:100000:65536
root:104:1  # render group map
root:44:1   # video group map

pveversion:

pve-manager/8.0.4/d258a813cfa6b390 (running kernel: 6.2.16-10-pve)

What I fail to understand is why the error message on container launch states I'm trying to map a range of 2 GIDs.
Also, I don't quite understand why it is failing.

 

[leesteken]

lxc_map_ids: 3701 newgidmap failed to write mapping "newgidmap: gid range [108-109) -> [104-105) not allowed": newgidmap 2700 0 100000 108 108 104 1 109 100109 65427

The message is that gid mapping of 108 (to 104) is not allowed (for root).

Here's my config:

## Plex LXC
#  ### https%3A//tteck.github.io/Proxmox/
#  <a href='https%3A//ko-fi.com/D1D7EP4GF'><img src='https%3A//img.shields.io/badge/%E2%98%95-Buy me a coffee-red' /></a>
arch: amd64
cores: 2
features: nesting=1
hostname: plex
memory: 4096
<bunch of biding mounts>
net0: name=eth0,bridge=vmbr0,gw=192.168.0.3,hwaddr=8E:83:32:CD:5D:6F,ip=192.168.0.242/23,type=veth
net1: name=intra0,bridge=vmbr2,hwaddr=AA:28:A1:35:75:4A,ip=192.168.10.242/28,type=veth
onboot: 0
ostype: ubuntu
rootfs: local-lvm:vm-201-disk-0,size=8G
startup: order=2,up=60
swap: 512
tags: proxmox-helper-scripts
unprivileged: 1
lxc.cgroup2.devices.allow: c 226:128 rwm
lxc.mount.entry: /dev/fb0 dev/fb0 none bind,optional,create=file
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry: /dev/dri/renderD128 dev/dri/renderD128 none bind,optional,create=file
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 108
lxc.idmap: g 108 104 1
lxc.idmap: g 109 100109 65427

/etc/subuid

root:100000:65536
root:44:1
root:108:1

You don't need root:108:1 or root:44:1 in /etc/subuid because you are not doing any special uid mapping (unless you have other containers with uid mappings).

/etc/subgid

root:100000:65536
root:104:1  # render group map
root:44:1   # video group map

root:108:1 is not in /etc/subgid, which is why it is not allowed for root. Maybe you wrote 104 instead of 108 by accident? You also don't gid mapping 44, so it does not need to be in there (unless you have more containers with gid mappings).

 

[psyko_chewbacca]

Thanks @leesteken , this is informative. I must say I was desperate when I added the entries to /etc/subuid...

I tried to simplify my group mapping just to see if it would work. I'm trying to map group 108 to LXC group 108 and it's not working.

I have /etc/subgid set to

root:100000:65536
root:108:1  # render group map

I made sure to reboot after modifying the file.
In /etc/subgid, should I add GID of host I wish to map or the value inside the container? It feels like it should be the GID on the host.



Then, have the following lines in my lxc conf file

lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 108
lxc.idmap: g 108 108 1
lxc.idmap: g 109 100109 65426

Here's the result when I try to start the CT

lxc_map_ids: 3701 newgidmap failed to write mapping "newgidmap: gid range [108-109) -> [108-109) not allowed": newgidmap 5110 0 100000 108 108 108 1 109 100109 65426
lxc_spawn: 1788 Failed to set up id mapping.
__lxc_start: 2107 Failed to spawn container "205"
TASK ERROR: startup for container '205' failed

I did another test but with GID 104 instead of 108.

So in /etc/subgid

root:100000:65536
root:104:1  # render group map

In CT's conf file

lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 104
lxc.idmap: g 104 104 1
lxc.idmap: g 105 100105 65430

And to my surprise, it worked. Container started. So I'm kinda puzzled here. Why would GID 108 not map? GID 108 exist on both host and in container.


As a reminder, I want to map GID 108 on host to 104 inside unprivileged container.

Thanks

 

[leesteken]

In CT's conf file

lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 104
lxc.idmap: g 104 104 1
lxc.idmap: g 105 100105 65430

And to my surprise, it worked. Container started. So I'm kinda puzzled here. Why would GID 108 not map? GID 108 exist on both host and in container.

As a reminder, I want to map GID 108 on host to 104 inside unprivileged container.

I would expect that changing lxc.idmap: g 104 104 1 to lxc.idmap: g 104 108 1 would do that. But you might need to add root:108:1 to /etc/subgid.