Discussion:
uid range not allowed
(too old to reply)
Christoph Willing
2016-07-23 07:49:07 UTC
Permalink
I'm following the guide to run X apps in a container at:
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

As a starting point, I have a normal unprivileged container running
perfectly. However when I change the id_map configuration to look like:
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535

the container fails to start, claiming:

***@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...

Sure enough, if I comment out the lines:
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1

the container runs again - but it's that particular mapping that is
needed in this case.

I set up a log file to priority DEBUG but no extra clues there - it just
says the same thing.

I'm using:
lxc-2.0.1
cgmanager-0.39
with container config file attached.

Can anyone shed light on this problem please?

chris
Andreas Vögele
2016-07-23 08:16:37 UTC
Permalink
Post by Christoph Willing
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
As a starting point, I have a normal unprivileged container running
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
[...]
Can anyone shed light on this problem please?
You've got to add the id to /etc/subuid and /etc/subgid. Example:

chris:1000:1
chris:100000:65536

Kind regards,
Andreas
Christoph Willing
2016-07-23 10:03:22 UTC
Permalink
Post by Andreas Vögele
Post by Christoph Willing
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
As a starting point, I have a normal unprivileged container running
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
[...]
Can anyone shed light on this problem please?
chris:1000:1
chris:100000:65536
Thanks Andreas,

I had the second line but not the first. The container starts without
error now.

chris
Serge E. Hallyn
2016-07-23 13:44:41 UTC
Permalink
Post by Christoph Willing
Post by Andreas Vögele
Post by Christoph Willing
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
As a starting point, I have a normal unprivileged container running
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
[...]
Can anyone shed light on this problem please?
chris:1000:1
chris:100000:65536
Thanks Andreas,
I had the second line but not the first. The container starts
without error now.
chris
Note that the 1000 throughout here should be replaced by your real
uid and gid. If you just use '1000' but that's not your uid/gid,
then you letting your user own someone else's uid/gid. Which means
any trojan that runs as you has more privilege than you thought.
rob e
2016-07-23 08:38:30 UTC
Permalink
Post by Christoph Willing
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
As a starting point, I have a normal unprivileged container running
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
the container runs again - but it's that particular mapping that is
needed in this case.
I set up a log file to priority DEBUG but no extra clues there - it
just says the same thing.
lxc-2.0.1
cgmanager-0.39
with container config file attached.
Can anyone shed light on this problem please?
chris
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
umm .. I have exactly that setup (user and group id mapping) and it
works for me. It's what I use for desktop integration. Did you change
the /etc/sub* files as per the following ?
https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/

I promise it works here. This is the config for one of my most used
containers

# Template used to create this container:
/usr/share/lxc/templates/lxc-download
# Parameters passed to the template: -d ubuntu -r xenial -a amd64
# For additional config options, please look at lxc.container.conf(5)

# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)

# Distribution configuration
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
# ------- Replaced -------#
#lxc.id_map = u 0 100000 65536
#lxc.id_map = g 0 100000 65536
# ------- With -------#Permission denied -
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
# --------------------#

lxc.rootfs = /mnt/....../<container-name>/rootfs
lxc.rootfs.backend = dir
lxc.utsname = <container-name>

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = xx:xx:xx:xx:xx:xx

# =========================== My Additions ========================== #
## Set resource limits
lxc.cgroup.cpuset.cpus = 1-3
lxc.cgroup.cpu.shares = 256
lxc.cgroup.memory.limit_in_bytes = 4G
lxc.cgroup.blkio.weight = 500

lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none
bind,optional,create=dir
# lxc.mount.entry = /dev/video0 dev/video0 none
bind,optional,create=file # NO CAMERA
lxc.mount.entry = /dev/fuse dev/fuse none bind,optional,create=file

#lxc.hook.pre-start = /mnt/...../<container-name>/setup-pulse.sh
lxc.hook.pre-start = /mnt/.....<container-name>/lxc-devsetup

lxc.aa_profile = lxc-container-default-with-mounting
## lxc.cgroup.devices.allow = typeofdevice majornumber:minornumber
rwm ... in this case /dev/sr0 (EXCLUDES /dev/sr1)
lxc.cgroup.devices.allow = b 11:0 rwm
## and add /dev/sr1
lxc.cgroup.devices.allow = b 11:1 rwm
# Fuse (user mounted filesystem facilitator), character device at
10:29 (use ls -la /dev/fuse)
lxc.cgroup.devices.allow = c 10:29 rwm
# ==================== End Change For Xenial ====================== #


And the /etc/sub* files (modified to protect the innocent ...)
/etc/subuid

<me>:100000:65536
<lxd>:165536:65536
root:165536:65536
<someone>:231072:65536
root:1000:1

/etc/subgid

<me>:100000:65536
<lxd>:165536:65536
root:165536:65536
<someone>:231072:65536
root:1000:1
Christoph Willing
2016-07-23 10:03:31 UTC
Permalink
Post by rob e
Post by Christoph Willing
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
As a starting point, I have a normal unprivileged container running
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
the container runs again - but it's that particular mapping that is
needed in this case.
I set up a log file to priority DEBUG but no extra clues there - it
just says the same thing.
lxc-2.0.1
cgmanager-0.39
with container config file attached.
Can anyone shed light on this problem please?
chris
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
umm .. I have exactly that setup (user and group id mapping) and it
works for me. It's what I use for desktop integration. Did you change
the /etc/sub* files as per the following ?
https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/
[snip]

Yes, from that site I already had chris:100000:65536

What was missing was a chris:1000:1 entry, so now I have:
chris:1000:1
chris:100000:65536

which is allowing container startup without any error.

I see you have a root:1000:1 entry - that didn't work for me. I guess
you're running yours as privileged containers?

chris
Post by rob e
And the /etc/sub* files (modified to protect the innocent ...)
/etc/subuid
<me>:100000:65536
<lxd>:165536:65536
root:165536:65536
<someone>:231072:65536
root:1000:1
/etc/subgid
<me>:100000:65536
<lxd>:165536:65536
root:165536:65536
<someone>:231072:65536
root:1000:1
Chris Willing
2016-07-23 07:08:53 UTC
Permalink
I'm following the guide to run X apps in a container at:
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

As a starting point, I have a normal unprivileged container running
perfectly. However when I change the id_map configuration to look like:
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535

the container fails to start, claiming:

***@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...

Sure enough, if I comment out the lines:
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1

the container runs again - but it's that particular mapping that is
needed in this case.

I set up a log file to priority DEBUG but no extra clues there - it just
says the same thing.

I'm using:
lxc-2.0.1
cgmanager-0.39
with container config file attached.

Can anyone shed light on this problem please?

chris
Christoph Willing
2016-07-28 11:17:18 UTC
Permalink
Sorry for the duplicate - I had earlier posted to the list from the
wrong email identity and presumed it would be rejected as coming from a
non-subscriber but looks like it has just been waved through now.

The immediate problem was solved - I needed to add an additional
"chris:1000:1" to /etc/sub{u,g}id

chris
Post by Christoph Willing
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
As a starting point, I have a normal unprivileged container running
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
the container runs again - but it's that particular mapping that is
needed in this case.
I set up a log file to priority DEBUG but no extra clues there - it just
says the same thing.
lxc-2.0.1
cgmanager-0.39
with container config file attached.
Can anyone shed light on this problem please?
chris
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Continue reading on narkive:
Loading...