user mapping into LXC or lxc.idmap

[Forssux]

Hi There,

For backup reasons I need to map 5 users and groups into a LXC running Syncthing.

I have a container where I map the following

lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 1003 1003 1
lxc.idmap: g 1003 1003 1
lxc.idmap: u 1004 101004 64532
lxc.idmap: g 1004 101004 64532

This works and the container starts with the gui..

However when I do the following in another container

lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 1003 1003 1
lxc.idmap: g 1003 1003 1
lxc.idmap: u 1004 1004 1
lxc.idmap: g 1004 1004 1
lxc.idmap: u 1005 1005 1
lxc.idmap: g 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 1006 101006 64530

It doesn't work even the lxc-start -F -n 118 won't start the container.
I have given 5 users the same uid in all containers....I'm lost why the upper works but the lower one doens't
Does somebody have advice?

Regards Guy

 

[leesteken]

Did you add 1004 and 1005 to the files /etc/subuid and /etc/subgid like you did for 1000-1003?
If that's not it, please share the error message(s) when the container does not start.

 

[Forssux]

in pve /etc/subuid I Have

root:1000:1
root:1001:1
root:1002:1
root:1003:1
root:1004:1
root:1005:1
root:100000:65536
elizabeth:165536:65536
lieselotte:231072:65536
syncthing:296608:65536

The 3 last entries where automattically added


lxc-start: 118: ../src/lxc/conf.c: lxc_map_ids: 3672 newgidmap failed to write mapping "newgidmap: gid range [1004-1005) -> [1004-1005) not allowed": newgidmap 49758 0 100000 1000 1000 1000 1 1001 1001 1 1002 1002 1 1003 1003 1 1004 1004 1 1005 101005 64531
lxc-start: 118: ../src/lxc/start.c: lxc_spawn: 1791 Failed to set up id mapping.
lxc-start: 118: ../src/lxc/start.c: __lxc_start: 2074 Failed to spawn container "118"
lxc-start: 118: ../src/lxc/tools/lxc_start.c: main: 306 The container failed to start
lxc-start: 118: ../src/lxc/tools/lxc_start.c: main: 311 Additional information can be obtained by setting the --logfile and --logpriority o

 

[Forssux]

Ok thanks in /etc/subgid I had forgotten the 1004 so that was the reason..

why is pve adding automatically adding usernames to the /etc/subuid?

 

[leesteken]

Ok thanks in /etc/subgid I had forgotten the 1004 so that was the reason..

That's why you got the newgidmap error messages. Glad to hear your got it working.

why is pve adding automatically adding usernames to the /etc/subuid?

I don't know. but I appears to have done this on my system too. Maybe it's a normal GNU/Linux thing?

 

[Frew]

# Add to /etc/pve/lxc/<container_id>.conf:
lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1000 1
lxc.idmap: g 1000 1000 1
lxc.idmap: u 1001 101001 0
lxc.idmap: g 1001 101001 0
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 101002 0
lxc.idmap: g 1002 101002 0
lxc.idmap: u 1002 1002 1
lxc.idmap: g 1002 1002 1
lxc.idmap: u 1003 101003 0
lxc.idmap: g 1003 101003 0
lxc.idmap: u 1003 1003 1
lxc.idmap: g 1003 1003 1
lxc.idmap: u 1004 101004 0
lxc.idmap: g 1004 101004 0
lxc.idmap: u 1004 1004 1
lxc.idmap: g 1004 1004 1
lxc.idmap: u 1005 101005 0
lxc.idmap: g 1005 101005 0
lxc.idmap: u 1005 1005 1
lxc.idmap: g 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 1006 101006 64530

# Add to /etc/subuid:
root:1000:1
root:1001:1
root:1002:1
root:1003:1
root:1004:1
root:1005:1

# Add to /etc/subgid:
root:1000:1
root:1001:1
root:1002:1
root:1003:1
root:1004:1
root:1005:1

This will work if you want yo map UID in CT 1000>1000 UID on Host
1001>1001
1002>1002
1003>1003
1004>1004
1005>1005

 

[daanw]

why is pve adding automatically adding usernames to the /etc/subuid?

I wondered about this too.

My /etc/subuid and /etc/subgid:
root:1000:3
root:100000:65536
user1:165536:65536
user2:231072:65536
user3:296608:65536

user1, user2 and user3 are the 3 users I mapped with root:1000:3
I did not add the last 3 lines for these users ending in :65536 myself.

Apparently these 3 last lines were automatically added by creating user1, user2 and user3 on the host (useradd).
Subordinate UIDs and GIDs are assigned to new accounts in such a manner that they form a contiguous range.
This seems default behavior.