Hello all,
Yet another post about UID/GID mapping on unprivileged containers.
Context
Before referring me to wiki and forum, I am aware and have read these pages:
https://pve.proxmox.com/wiki/Unprivileged_LXC_containers
https://forum.proxmox.com/threads/lxc-uid-mapping-woes.99376/
https://forum.proxmox.com/threads/understanding-lxc-uid-mappings.101855/
https://forum.proxmox.com/threads/how-to-use-uids-gids-higher-than-65535-in-ct-lxc.66382/
I have a cluster with a bunch of unprivileged containers, there is a need to allow UIDs/GIDs above 65535 so I tried to enable it with container number 173 but it won't start. The goal is not about mounting some directory, file system or device, I specifically need that users and groups above 65535 can be recognized inside the container.
Troubleshooting Information
Proxmox VE version:
7.4-17
Container 173 config:
Container 173 /etc/subuid and /etc/subgid:
Container 173 lxc-start error:
Assorted Questions
Q1: Do UID/GID mappings have to be unique to the cluster? (read: is my container somehow overlapping other containers' mappings and thus crashing)
Q2: Is there a limit to the range of values mapped? (I'm mapping a total of 1 million values but I assume it is a 32-bit value that allows up to ~4 billion values and equivalent range)
Q3: What is the default idmap if the .conf file does not explicitly set lxc.idmap for a given unprivileged container?
Q4: What does the line "newuidmap 584436 0 100000 1000000" from the lxc-start error mean? (as in, what does each value translate to?)
I am most assuredly doing something wrong, appreciate input about issue and also reply to questions to improve my technical understanding.
Yet another post about UID/GID mapping on unprivileged containers.
Context
Before referring me to wiki and forum, I am aware and have read these pages:
https://pve.proxmox.com/wiki/Unprivileged_LXC_containers
https://forum.proxmox.com/threads/lxc-uid-mapping-woes.99376/
https://forum.proxmox.com/threads/understanding-lxc-uid-mappings.101855/
https://forum.proxmox.com/threads/how-to-use-uids-gids-higher-than-65535-in-ct-lxc.66382/
I have a cluster with a bunch of unprivileged containers, there is a need to allow UIDs/GIDs above 65535 so I tried to enable it with container number 173 but it won't start. The goal is not about mounting some directory, file system or device, I specifically need that users and groups above 65535 can be recognized inside the container.
Troubleshooting Information
Proxmox VE version:
7.4-17
Container 173 config:
Code:
arch: amd64
cores: 64
features: fuse=1, nesting=1
hostname: [redacted]
memory: 131072
net0: name=eth0,bridge=vmbr1,firewall=1,hwaddr=[redacted],ip=dhcp,ip6=dhcp,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-173-disk-0,size=256G
swap: 16384
unprivileged: 1
lxc.cgroup.devices.allow: c 195:* rwm
lxc.cgroup.devices.allow: c 506:* rwm
lxc.cgroup.devices.allow: c 235:* rwm
lxc.mount.entry: /dev/nvidia0 dev/nvidia0 none bind,optional,create=file
lxc.mount.entry: /dev/nvidiactl dev/nvidiactl none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-uvm dev/nvidia-uvm none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-modeset dev/nvidia-modeset none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-uvm-tools dev/nvidia-uvm-tools none bind,optional,create=file
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
lxc.idmap: u 0 100000 1000000
lxc.idmap: g 0 100000 1000000Container 173 /etc/subuid and /etc/subgid:
Code:
# cat /etc/subuid
my_local_ct_username:100000:1000000
# cat /etc/subgid
my_local_ct_username:100000:1000000Container 173 lxc-start error:
Code:
lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [0-1000000) -> [100000-1100000) not allowed": newuidmap 584436 0 100000 1000000
lxc_spawn: 1788 Failed to set up id mapping.
__lxc_start: 2107 Failed to spawn container "173"
TASK ERROR: startup for container '173' failedAssorted Questions
Q1: Do UID/GID mappings have to be unique to the cluster? (read: is my container somehow overlapping other containers' mappings and thus crashing)
Q2: Is there a limit to the range of values mapped? (I'm mapping a total of 1 million values but I assume it is a 32-bit value that allows up to ~4 billion values and equivalent range)
Q3: What is the default idmap if the .conf file does not explicitly set lxc.idmap for a given unprivileged container?
Q4: What does the line "newuidmap 584436 0 100000 1000000" from the lxc-start error mean? (as in, what does each value translate to?)
I am most assuredly doing something wrong, appreciate input about issue and also reply to questions to improve my technical understanding.
Last edited:
