Unprivileged LXC local directory bind mount points

J

Jero

Member
May 20, 2016
33
2
8
42
Hi Guys,

I a trying to convert my samba lxc to a unprivleged one.
Lets assume for the sake of simplicity i have one directory to map: Downloads
host:
Code: 
root@pve:~# ls -ln /wdpool/NAS/
drwxrwx--- 8 0 1002         11 Jun 20 10:35 Downloads

I only use the gid in my samba config, so i dont care about the uid. The users that want access to Downloads are "member" of gid 1002.

So i need the real gid 1002 in my unprivleged container. I tried to map the gid according to this doc like this: (ignoring the user uid mapping)
lxc.conf:
Code: 
unprivileged: 1
mp0: /wdpool/NAS/Downloads,mp=/mnt/NAS/Downloads

lxc.id_map = g 0 100000 1002
lxc.id_map = g 1002 1002 1
lxc.id_map = g 1003 101003 64530
Code: 
root@pve:~# cat /etc/subgid
root:1002:1

But the container wont start.

Is something like this possible? Can someone guide me in the right direction?
 
ow i got it. I needed to add the line: "lxc.id_map = u 0 100000 65536" in my lxc.conf
Now i have this in the container:
Code: 
root@sambaserver:/mnt/NAS# ls -l
total 10
drwxrwx--- 8 nobody 1002 11 Jun 20 08:35 Downloads

edit:
Great, now i want a second gid in the unpriv lxc (1012). The config by my own logic:

Code: 
mp0: /wdpool/NAS/Downloads,mp=/mnt/NAS/Downloads
mp1: /bds/NAS/Dump,mp=/mnt/NAS/Dump

#uid mapping
lxc.id_map = u 0 100000 65536

#gid 0 in host = 100000 in lxc, count +1002
lxc.id_map = g 0 100000 1002
# 1002 maps to 1002
lxc.id_map = g 1002 1002 1
#1003 + 8 = 1011 host / 101011 lxc
lxc.id_map = g 1003 101003 8
# 1012 maps to 1012
lxc.id_map = g 1012 1012 1
# map rest of gid
lxc.id_map = g 1013 101013 64522

lxc wont start :(
 
Last edited:
It might be much easier to make a backup, destroy the container and restore it from the backup as unprivileged container.
 
Sorry, I seem to have missed half of your post. I got the part that you have a privileged container running samba, that you want to convert to an unprivileged container running samba.
The id_maps look fine. lxc probably tells you why it won't start. Could you need another entry in /etc/subgid?
 
pabernethy said:
Sorry, I seem to have missed half of your post. I got the part that you have a privileged container running samba, that you want to convert to an unprivileged container running samba.
The id_maps look fine. lxc probably tells you why it won't start. Could you need another entry in /etc/subgid?
Click to expand...
No problem :)

My subgid:
Code: 
root@pve:~# cat /etc/subgid
root:1002:1
root:1012:1
root:33:1
root:100000:65536
systemd-timesync:100000:65536
systemd-network:165536:65536
systemd-resolve:231072:65536
systemd-bus-proxy:296608:65536
statd:362144:65536
sshd:427680:65536
messagebus:493216:65536
postfix:558752:65536
ais:624288:65536
nagios:689824:65536
test:755360:65536

lxc@118.service - LXC Container: 118
Loaded: loaded (/lib/systemd/system/lxc@.service; disabled; vendor preset: enabled)
Drop-In: /usr/lib/systemd/system/lxc@.service.d
└─pve-reboot.conf
Active: failed (Result: exit-code) since Thu 2017-08-31 15:17:50 CEST; 8s ago
Docs: man:lxc-start
man:lxc
Process: 16354 ExecStopPost=/usr/share/lxc/lxc-pve-reboot-trigger 118 (code=exited, status=0/SUCCESS)
Process: 7398 ExecStart=/usr/bin/lxc-start -n 118 (code=exited, status=1/FAILURE)
Main PID: 15779 (code=exited, status=1/FAILURE)

Aug 31 15:17:43 pve systemd[1]: Starting LXC Container: 118...
Aug 31 15:17:50 pve lxc-start[7398]: lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
Aug 31 15:17:50 pve lxc-start[7398]: lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
Aug 31 15:17:50 pve lxc-start[7398]: lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority op
Aug 31 15:17:50 pve systemd[1]: lxc@118.service: Control process exited, code=exited status=1
Aug 31 15:17:50 pve systemd[1]: Failed to start LXC Container: 118.
Aug 31 15:17:50 pve systemd[1]: lxc@118.service: Unit entered failed state.
Aug 31 15:17:50 pve systemd[1]: lxc@118.service: Failed with result 'exit-code'.

Aug 31 15:19:24 pve pct[9012]: <root@pam> starting task UPID:pve:00002335:0113CEA8:59A80CDC:vzstart:118:root@pam:
Aug 31 15:19:24 pve systemd[1]: Starting LXC Container: 118...
-- Subject: Unit lxc@118.service has begun start-up
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit lxc@118.service has begun starting up.
Aug 31 15:19:25 pve kernel: IPv6: ADDRCONF(NETDEV_UP): veth118i0: link is not ready
Aug 31 15:19:25 pve systemd-udevd[9032]: Could not generate persistent MAC address for vethX0K7DC: No such file or directory
Aug 31 15:19:25 pve kernel: vmbr0v52: port 10(veth118i0) entered blocking state
Aug 31 15:19:25 pve kernel: vmbr0v52: port 10(veth118i0) entered disabled state
Aug 31 15:19:25 pve kernel: device veth118i0 entered promiscuous mode
Aug 31 15:19:25 pve kernel: vmbr0v52: port 10(veth118i0) entered disabled state
Aug 31 15:19:25 pve kernel: device veth118i0 left promiscuous mode
Aug 31 15:19:25 pve kernel: vmbr0v52: port 10(veth118i0) entered disabled state
Aug 31 15:19:32 pve lxc-start[9015]: lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
Aug 31 15:19:32 pve lxc-start[9015]: lxc-start: tools/lxc_start.c: main: 368 To get more details, run the container in foreground mode.
Aug 31 15:19:32 pve lxc-start[9015]: lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority op
Aug 31 15:19:32 pve systemd[1]: lxc@118.service: Control process exited, code=exited status=1
Aug 31 15:19:32 pve systemd[1]: Failed to start LXC Container: 118.
-- Subject: Unit lxc@118.service has failed
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- Unit lxc@118.service has failed.
--
-- The result is failed.
Aug 31 15:19:32 pve systemd[1]: lxc@118.service: Unit entered failed state.
Aug 31 15:19:32 pve systemd[1]: lxc@118.service: Failed with result 'exit-code'.
Aug 31 15:19:32 pve pct[9013]: command 'systemctl start lxc@118' failed: exit code 1
Aug 31 15:19:32 pve pct[9012]: <root@pam> end task UPID:pve:00002335:0113CEA8:59A80CDC:vzstart:118:root@pam: command 'systemctl start lxc@118' failed: exit code

lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-1" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-1: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-2" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-2: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-3" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-3: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-4" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-4: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-5" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-5: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-6" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-6: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-7" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-7: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-8" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-8: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-9" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-9: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-10" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-10: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-11" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-11: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-12" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-12: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-13" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-13: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-14" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-14: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-15" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-15: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-16" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-16: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-17" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-17: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-18" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-18: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-19" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-19: No such file or directory
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118-20" already existed.
lxc-start: cgroups/cgfsng.c: cgfsng_create: 1403 No such file or directory - Failed to create /sys/fs/cgroup/systemd//lxc/118-20: No such file or directory
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: cgfsns_chown: 1559 Error requesting cgroup chown in new namespace
lxc-start: start.c: __lxc_start: 1381 Failed to spawn container "118".
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/systemd//lxc/118-21
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/cpu//lxc/118-21
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/blkio//lxc/118-21
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/pids//lxc/118-21
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/devices//lxc/118-21
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/cpuset//lxc/118-21
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/hugetlb//lxc/118-21
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/memory//lxc/118-21
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/freezer//lxc/118-21
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/perf_event//lxc/118-21
newgidmap: write to gid_map failed: Invalid argument
lxc-start: conf.c: userns_exec_1: 4727 Error setting up child mappings
lxc-start: cgroups/cgfsng.c: recursive_destroy: 1290 Error destroying /sys/fs/cgroup/net_cls//lxc/118-21
lxc-start: tools/lxc_start.c: main: 366 The container failed to start.
lxc-start: tools/lxc_start.c: main: 370 Additional information can be obtained by setting the --logfile and --logpriority options.
 
Jero said:
lxc-start: cgroups/cgfsng.c: create_path_for_hierarchy: 1339 Path "/sys/fs/cgroup/systemd//lxc/118" already existed.
Click to expand...
Jero said:
newgidmap: write to gid_map failed: Invalid argument
Click to expand...
Jero said:
lxc-start: cgroups/cgfsng.c: cgfsns_chown: 1559 Error requesting cgroup chown in new namespace
Click to expand...
Those may be the important lines. The cgroup already exists. Is the container still running? Your gid_map is not correct. The error regarding cgroup chown may be related to the first one. Did you make the container unprivileged just by adding unprivileged: 1 to the lxc.conf? Because that's not the way to do it.
The best course of action may be to get your container back into a working, privileged state, without bind mounts. As it was before you set out on this journey. Then convert it to unprivileged via backup/restore and then go about adding bind mounts.
This should hopefully get rid of any artifacts of improper conversion.
There are some posts on the forum to get Samba inside LXC and many more in the rest of the web. As this post on reddit suggests using ACLs may be an easier solution to your problem.
 
pabernethy said:
Those may be the important lines. The cgroup already exists. Is the container still running? Your gid_map is not correct. The error regarding cgroup chown may be related to the first one. Did you make the container unprivileged just by adding unprivileged: 1 to the lxc.conf? Because that's not the way to do it.
The best course of action may be to get your container back into a working, privileged state, without bind mounts. As it was before you set out on this journey. Then convert it to unprivileged via backup/restore and then go about adding bind mounts.
This should hopefully get rid of any artifacts of improper conversion.
There are some posts on the forum to get Samba inside LXC and many more in the rest of the web. As this post on reddit suggests using ACLs may be an easier solution to your problem.
Click to expand...

This current container is a clean one unprivileged created from the debian 9 template! The original privileged samba server is still running.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back