Understanding LXC UID Mappings

X

xmready

New Member
Dec 15, 2021
5
1
3
Reading the Unprivileged LXC containers wiki page, it seems UID mappings are needed in the LXC config files to allow permissions for mount points. I thought that the >100000 range of host ids was already mapped to the CT starting with id 0 when you create a new unprivileged CT. Why does the documentation say I need to map all those IDs instead of just the one I need to have permission if they are already mapped?
Code: 
# uid map: from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) → 100000..101004 (host)
lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
# we map the rest of 65535 from 1006 upto 101006, so 1006..65535 → 101006..165535
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530
I want to understand why we can't just use these lines
Code: 
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
 
xmready said:
Reading the Unprivileged LXC containers wiki page, it seems UID mappings are needed in the LXC config files to allow permissions for mount points. I thought that the >100000 range of host ids was already mapped to the CT starting with id 0 when you create a new unprivileged CT. Why does the documentation say I need to map all those IDs instead of just the one I need to have permission if they are already mapped?
Code: 
# uid map: from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) → 100000..101004 (host)
lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
# we map the rest of 65535 from 1006 upto 101006, so 1006..65535 → 101006..165535
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530
I want to understand why we can't just use these lines
Code: 
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
Click to expand...
The default "lxc.idmap = u 0 100000 65536" would map the complete range 0 to 65535 to 100000 to 165535. But that would also mean 1005 would be mapped to 101005 what you dont want.
So you need to tell it to map 0 to 1004 to 100000 to 101004, map 1005 to 1005 and than map 1006 to 65535 to 101006 to 165535. Thats whats done in the wiki.
 
  • Like
Reactions: DJB-WSM
Dunuin said:
The default "lxc.idmap = u 0 100000 65536" would map the complete range 0 to 65535 to 100000 to 165535. But that would also mean 1005 would be mapped to 101005 what you dont want.
So you need to tell it to map 0 to 1004 to 100000 to 101004, map 1005 to 1005 and than map 1006 to 65535 to 101006 to 165535. Thats whats done in the wiki.
Click to expand...
Thank you
 
Hi, I am trying to setup id mapping in an unprivileged lxc, but I have trouble doing so.

I want to map group 44 in the CT to 44 in the host and 106 in the CT to 104 in the host. I have used the following:

Code: 
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 61
lxc.idmap: g 106 104 1
lxc.idmap: g 107 100107 65429

and the also added the group into /etc/subgid:

Code: 
root:100000:65536
root:106:1
root:44:1

But the container won't start with this error:

Code: 
lxc-start: 106: ../src/lxc/conf.c: lxc_map_ids: 3701 newgidmap failed to write mapping "newgidmap: gid range [106-107) -> [104-105) not allowed": newgidmap 83393 0 100000 44 44 44 1 45 100045 61 106 104 1 107 100107 65429
lxc-start: 106: ../src/lxc/start.c: lxc_spawn: 1788 Failed to set up id mapping.
lxc-start: 106: ../src/lxc/start.c: __lxc_start: 2107 Failed to spawn container "106"
lxc-start: 106: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start

Can you explain what's wrong?
 
Last edited:
nautilus7 said:
lxc-start: 106: ../src/lxc/conf.c: lxc_map_ids: 3701 newgidmap failed to write mapping "newgidmap: gid range [106-107) -> [104-105) not allowed": newgidmap 83393 0 100000 44 44 44 1 45 100045 61 106 104 1 107 100107 65429
Click to expand...
Try 104 instead of 106 in /etc/subgid maybe?
Code: 
root:100000:65536
root:104:1
root:44:1
 
  • Like
Reactions: nautilus7
Seems to work, thanks!

So in there, I should add the host ids I map to, not the container ones?
 
Hello everyone!
At first point - sorry for my pure English :(

Second - my configuration is working for my tasks, but I think - it's strange.

Code: 
# at host (proxmox)
# NOTE user with id 5123:5123 - doesn't exist

# make directory
mkdir /data/vg_media/video
chown 5123:5123 /data/vg_media/video
chmod 0775 /data/vg_media/video

# mount directory to CT with id 123
pct set 123 -mp0 /data/vg_media/video,mp=/data

# Add to /etc/subuid and /etc/subgid
root:5123:1

# Add to /etc/pve/nodes/pve/lxc/123.conf
lxc.idmap: u 0 100000 5000
lxc.idmap: u 5000 5123 1
lxc.idmap: u 5001 105001 60535
lxc.idmap: g 0 100000 5000
lxc.idmap: g 5000 5123 1
lxc.idmap: g 5001 105001 60535

Now, "root in CT" have full access to directory /data (in CT) and /data/vg_media/video (in host). It can create subdirectory and give access to it any user in CT. But no users with id=5123 (in host) and 5000 (in CT).
Question: is it normal?!
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back