uid/gid allocation for nested LXD in unprivileged container

Oct 3, 2019
18
0
6
32
Hi everyone,

I am trying to configure Gitlab runners with custom LXD executors inside proxmox's LXC container.
Basically, I want to be able to spin-up LXC containers inside Proxmox's unprivileged LXC container.

I did the following:
1. Created unprivileged Ubuntu 22.04 LXC container with keyctl, nesting and FUSE enabled;
2. Updated all the packages and installed snapd;
3. Added lxc.mount.entry to container's config (to be able to install snaps).
Here's how container's config look like:
Code:
arch: amd64
cores: 1
features: fuse=1,keyctl=1,nesting=1
hostname: ubuntu22unpriv
memory: 1024
net0: name=eno1,bridge=vmbr1,gw=10.0.5.1,hwaddr=32:20:26:14:ED:5A,ip=10.0.5.115/24,type=veth
ostype: ubuntu
rootfs: local-zfs:subvol-115-disk-0,size=20G
swap: 512
unprivileged: 1
lxc.mount.entry: /dev/fuse dev/fuse none bind,create=file,optional
4. Installed snap version of LXD

After the above, if I try to start a new container, I get uid/gid allocation error:
Code:
root@ubuntu22unpriv:~# /snap/bin/lxc launch ubuntu:22.04
Creating the instance
Error: Failed instance creation: Failed creating instance record: Failed initialising instance: Invalid config: LXD doesn't have a uid/gid allocation. In this mode, only privileged containers are supported

On the host with Proxmox, I have the following in /etc/sub{u,g}id:
Code:
root:20001:199
root:100000:65536
user1:165536:65536
user2:231072:65536
user3:296608:65536
user4:362144:65536
I am not sure exactly why there are 2 lines with root (I did some experiments with it before), but I tried to keep only `root:100000:65536` and it didn't change anything.

I believe, the error I am getting is related to the mappings inside the LXC container (ubuntu22unpriv). I tried to change mappings there, but if I understood correctly, snapd doesn't care about /etc/sub{u,g}id mappings.

I am not sure if I am digging in the right direction, so I would appreciate any help.
Could there be something on the Proxmox side, that I forgot about?

Thanks a lot for any help! :)
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!