1

I cannot get my head around the userns-idmap mapping ie with sub{uid,gid} mapping stuff.

Here's what I have:

# lxc launch images:ubuntu/22.04 c1
# lxc config device add c1 home disk source=/home/user3/ path=/home/user3
# lxc config device add c1 shared disk source=/mnt/shared path=/mnt/shared

Then I added a user and group to the container:

# lxc exec c1 bash
# groupadd -g 1003 user3
# groupadd -g 1004 shared
# useradd -u 1003 -g 1003 -G shared user3
  • The user user3 has the uid 1003 on the host and belongs to the group shared (as well as its own)
  • The group shared has the gid of 1004

Here's my sub{uid,gid}:

sudo tee /etc/sub{uid,gid} <<EOF
root:1000:65536
user0:100000:65536
user1:100001:65536
user2:100002:65536
user3:100003:65536
EOF

sudo tee -a /etc/subgid <<EOF
shared:100004:1
EOF

I want to map user3's uid 1003 and gid 1003 into the container. I also want to map shared which is 1004 on the host into the container.

  1. Is my /etc/sub{uid,gid} correct?
  2. What do i need for the raw.idmap command?
  3. I want to make a c2 container which has home directories for user0-3 mapped through.

I tried:

# printf 'both 1003 1003\ngid 1004 1\n' | lxc config set c1 raw.lxc -

to begin with, but was getting the error:

ERROR conf - ../src/lxc/conf.c:lxc_map_ids:3672 - newuidmap failed to write mapping "newuidmap: uid range [1001-1002) -> [100003-100004) not allowed": newuidmap 22185 0 1000 1001 1001 10000

ERROR start - ../src/lxc/start.c:lxc_spawn:1791 - Failed to set up id mapping.

2 Answers 2

1

So I found the solution to this.

I needed:

cat /etc/subuid
root:1000:1
root:1001:1
root:1002:1
root:1003:1
root:100000:65536
lxd:100000:65536
$ cat /etc/subgid
root:1000:1
root:1001:1
root:1002:1
root:1003:1
root:1004:1
root:100000:65536
lxd:100000:65536

The reason it had to be root was because because LXD launches LXC containers as the host's root user. The containers themselves are still unprivileged (in that root inside the container isn't root on the host).

Further it was needed to also add an entry to /etc/lxc/default.conf of:

lxc.idmap = u 0 100000 1000
lxc.idmap = g 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 101001 0
lxc.idmap = g 1001 101001 0
lxc.idmap = u 1001 1001 1
lxc.idmap = g 1001 1001 1
lxc.idmap = u 1002 101002 0
lxc.idmap = g 1002 101002 0
lxc.idmap = u 1002 1002 1
lxc.idmap = g 1002 1002 1
lxc.idmap = u 1003 101003 0
lxc.idmap = g 1003 101003 0
lxc.idmap = u 1003 1003 1
lxc.idmap = g 1003 1003 1
lxc.idmap = u 1004 101004 64532
lxc.idmap = g 1004 1004 1
lxc.idmap = g 1005 101005 64532

For generating this I found proxmox-lxc-idmapper which helped me generate the correct lxc.idmap.

Note though the tool is not without bugs, so you should check the output carefully, to make sure it's actually what you want.

1
  • Amazing, this script help me so much, I think I now even understand what I did wrong all this time.
    – K_Rol
    Commented Nov 30, 2023 at 5:55
0

Your subuid definitions are overlapping, which is not allowed.

user0:100000:65536

This means user0 gets 100000 to 165535. This also means that the next user has to start at 165536.

user1:165536:65536

The next gets

user2:231072:65536

and so on.

5
  • What would the raw.idmap look like then for passing in user2 (in your example) and the shared group?
    – dogman
    Commented Aug 1, 2022 at 7:23
  • Sorry, I'm not familiar with shared subuids and I don't know what you mean by raw.idmap. Commented Aug 1, 2022 at 7:35
  • It's a part of custom-idmaps. Basically trying to do Add a shared host directory to an LXC/LXD container (read-write mode)
    – dogman
    Commented Aug 1, 2022 at 8:29
  • "Your subuid definitions are overlapping, which is not allowed." citation needed? This claim is thrown around a lot but I'm not sure where the supposed restriction comes from. The uid_map and gid_map associated with an individual process are certainly not allowed to overlap as documented in user_namespaces(7), but this is separate to which users are allowed to use a subuid/gid range. subuid(5)/subgid(5) don't mention overlapping IDs
    – sqweek
    Commented Jul 26, 2023 at 6:21
  • "not allowed" might have been a bit harsh. Better would be "should not overlap, as it leads to shared UIDs on the filesystem, which leads to security issues as users are able to read/write files of other users, which is exactly what the subuid/guid system is supposed to prevent." Commented Jul 26, 2023 at 6:29

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .