Using large range of UIDs/GIDs above 65535 in unprivileged LXC (crashing)

[EZSPECIAL]

Hello all,
Yet another post about UID/GID mapping on unprivileged containers.

Context
Before referring me to wiki and forum, I am aware and have read these pages:
https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

https://forum.proxmox.com/threads/lxc-uid-mapping-woes.99376/
https://forum.proxmox.com/threads/understanding-lxc-uid-mappings.101855/
https://forum.proxmox.com/threads/how-to-use-uids-gids-higher-than-65535-in-ct-lxc.66382/

I have a cluster with a bunch of unprivileged containers, there is a need to allow UIDs/GIDs above 65535 so I tried to enable it with container number 173 but it won't start. The goal is not about mounting some directory, file system or device, I specifically need that users and groups above 65535 can be recognized inside the container.

Troubleshooting Information
Proxmox VE version:
7.4-17

Container 173 config:

arch: amd64
cores: 64
features: fuse=1, nesting=1
hostname: [redacted]
memory: 131072
net0: name=eth0,bridge=vmbr1,firewall=1,hwaddr=[redacted],ip=dhcp,ip6=dhcp,type=veth
onboot: 1
ostype: ubuntu
rootfs: local-lvm:vm-173-disk-0,size=256G
swap: 16384
unprivileged: 1
lxc.cgroup.devices.allow: c 195:* rwm
lxc.cgroup.devices.allow: c 506:* rwm
lxc.cgroup.devices.allow: c 235:* rwm
lxc.mount.entry: /dev/nvidia0 dev/nvidia0 none bind,optional,create=file
lxc.mount.entry: /dev/nvidiactl dev/nvidiactl none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-uvm dev/nvidia-uvm none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-modeset dev/nvidia-modeset none bind,optional,create=file
lxc.mount.entry: /dev/nvidia-uvm-tools dev/nvidia-uvm-tools none bind,optional,create=file
lxc.mount.entry: /dev/dri dev/dri none bind,optional,create=dir
lxc.idmap: u 0 100000 1000000
lxc.idmap: g 0 100000 1000000

Container 173 /etc/subuid and /etc/subgid:

# cat /etc/subuid
my_local_ct_username:100000:1000000
# cat /etc/subgid
my_local_ct_username:100000:1000000

Container 173 lxc-start error:

lxc_map_ids: 3701 newuidmap failed to write mapping "newuidmap: uid range [0-1000000) -> [100000-1100000) not allowed": newuidmap 584436 0 100000 1000000
lxc_spawn: 1788 Failed to set up id mapping.
__lxc_start: 2107 Failed to spawn container "173"
TASK ERROR: startup for container '173' failed

Assorted Questions
Q1: Do UID/GID mappings have to be unique to the cluster? (read: is my container somehow overlapping other containers' mappings and thus crashing)

Q2: Is there a limit to the range of values mapped? (I'm mapping a total of 1 million values but I assume it is a 32-bit value that allows up to ~4 billion values and equivalent range)

Q3: What is the default idmap if the .conf file does not explicitly set lxc.idmap for a given unprivileged container?

Q4: What does the line "newuidmap 584436 0 100000 1000000" from the lxc-start error mean? (as in, what does each value translate to?)

I am most assuredly doing something wrong, appreciate input about issue and also reply to questions to improve my technical understanding.

 

[leesteken]

Recent Proxmox versions have the option to do passthrough of dev-nodes with containers (Resources, Add, Device Passthrough) in the web GUI, which is much easier to use. I hope someone else will answer your questions in detail.

 

[EZSPECIAL]

Bumping for the American audience.

 

[BobhWasatch]

You should look at two man pages: "man subuid" and "man subgid".

Those files define the maximum range of UID/GID for particular users. On my PVE server root is allowed 65536 UID and GID.

ETA: Whether having a million actual user ID's will be a problem is a whole other question. If they need to have entries in /etc/passwd it surely will be!

 

[EZSPECIAL]

After trying for a while still got nothing, hoping that someone can give a complete reply to the situation described + answers to the questions I placed, thank you