Discussion:
problems or only warning (!?) with lxc-clone
(too old to reply)
Yonsy Solis
2015-05-07 14:46:00 UTC
Permalink
Hi

i create a base container with the minimal needed for works: zsh,
oh-my-zsh, updated Ubuntu 14.04.2 packages, user with admin/sudo
rights, bye root ssh logins, ssh only by certificate, no ssh passwords,
cleaned apt archives, cleaned logs, etc a little paranoid in security.

for new containers i clone all from this base container, and I get this
message:
===
host15 :: ~ » lxc-clone -s baseserver testserver
newgidmap: gid range [100000-100001) -> [200000-200001) not allowed
error mapping child
setgid: Invalid argument
Created container testserver as snapshot of base
===

With this warning, the container is cloned. I work this with user
lazarus
===
host15 :: ~ » cat /etc/subgid /etc/subuid


1 ↵
root:100000:65536
lazarus:100000:65536
root:100000:65536
lazarus:100000:65536
===

is normal this warning or a possible error is growing without notice ?
somebody can explain me why this warning ?


Yonsy Solis
Serge Hallyn
2015-05-07 19:36:49 UTC
Permalink
Post by Yonsy Solis
Hi
i create a base container with the minimal needed for works: zsh,
oh-my-zsh, updated Ubuntu 14.04.2 packages, user with admin/sudo
rights, bye root ssh logins, ssh only by certificate, no ssh
passwords, cleaned apt archives, cleaned logs, etc a little paranoid
in security.
for new containers i clone all from this base container, and I get
===
host15 :: ~ » lxc-clone -s baseserver testserver
newgidmap: gid range [100000-100001) -> [200000-200001) not allowed
You're trying to map 200000 on the host to 100000 in the container,
but you're not allowed by /etc/subgid to use 200000 on the host.

I suspect you have something like

lxc.id_map = g 100000 200000 1

when you want maybe

lxc.id_map = g 0 100000 1

Guess it depends on exactly what you are trying to do - do you want
uid 0 in the container to be uid 100000 on the host?
Post by Yonsy Solis
error mapping child
setgid: Invalid argument
Created container testserver as snapshot of base
===
With this warning, the container is cloned. I work this with user
lazarus
===
host15 :: ~ » cat /etc/subgid /etc/subuid
1 ↵
root:100000:65536
lazarus:100000:65536
root:100000:65536
lazarus:100000:65536
===
is normal this warning or a possible error is growing without notice
? somebody can explain me why this warning ?
Yonsy Solis
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Yonsy Solis
2015-05-07 22:20:07 UTC
Permalink
Post by Serge Hallyn
Post by Yonsy Solis
for new containers i clone all from this base container, and I get
===
host15 :: ~ » lxc-clone -s baseserver testserver
newgidmap: gid range [100000-100001) -> [200000-200001) not allowed
You're trying to map 200000 on the host to 100000 in the container,
but you're not allowed by /etc/subgid to use 200000 on the host.
I suspect you have something like
lxc.id_map = g 100000 200000 1
when you want maybe
lxc.id_map = g 0 100000 1
in $HOME/.config/lxc/default.conf (for unprivileged containers) i have
this:

====
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
====
Post by Serge Hallyn
Guess it depends on exactly what you are trying to do - do you want
uid 0 in the container to be uid 100000 on the host?
yes, and works, apparently. The warning (newgidmap .... not allowed)
appear related to groups


Yonsy Solis
Serge Hallyn
2015-05-07 22:27:25 UTC
Permalink
On Thu, May 7, 2015 at 2:36 PM, Serge Hallyn
Post by Serge Hallyn
Post by Yonsy Solis
for new containers i clone all from this base container, and I get
===
host15 :: ~ » lxc-clone -s baseserver testserver
newgidmap: gid range [100000-100001) -> [200000-200001) not allowed
You're trying to map 200000 on the host to 100000 in the container,
but you're not allowed by /etc/subgid to use 200000 on the host.
I suspect you have something like
lxc.id_map = g 100000 200000 1
when you want maybe
lxc.id_map = g 0 100000 1
in $HOME/.config/lxc/default.conf (for unprivileged containers) i
====
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
What is in ~/.local/share/lxc/baseserver/config?
====
Post by Serge Hallyn
Guess it depends on exactly what you are trying to do - do you want
uid 0 in the container to be uid 100000 on the host?
yes, and works, apparently. The warning (newgidmap .... not allowed)
appear related to groups
Yonsy Solis
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Yonsy Solis
2015-05-07 22:37:13 UTC
Permalink
Post by Serge Hallyn
What is in ~/.local/share/lxc/baseserver/config?
====
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/yonsy/.local/share/lxc/baseserver/rootfs
lxc.utsname = baseserver

# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:3b:32:28
====


Yonsy Solis
Serge Hallyn
2015-05-07 23:44:49 UTC
Permalink
On Thu, May 7, 2015 at 5:27 PM, Serge Hallyn
Post by Serge Hallyn
What is in ~/.local/share/lxc/baseserver/config?
====
lxc.include = /usr/share/lxc/config/ubuntu.common.conf
lxc.include = /usr/share/lxc/config/ubuntu.userns.conf
lxc.arch = x86_64
# Container specific configuration
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.rootfs = /home/yonsy/.local/share/lxc/baseserver/rootfs
lxc.utsname = baseserver
# Network configuration
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:3b:32:28
Well that's just perplexing.

Can you

strace -f -oxxx lxc-clone -s baseserver x1

and attach xxx to the reply? Probably won't work but worth a
try.
Yonsy Solis
2015-05-08 15:10:05 UTC
Permalink
Post by Serge Hallyn
Well that's just perplexing.
Can you
strace -f -oxxx lxc-clone -s baseserver x1
and attach xxx to the reply? Probably won't work but worth a
try.
====
node :: ~ » strace -f -oxxx lxc-clone -s baseserver x1
newuidmap: write to uid_map failed: Operation not permitted
error mapping child
setgid: Invalid argument
lxc_container: lxccontainer.c: do_create_container_dir: 778 Failed to
chown container dir
lxc_container: lxccontainer.c: lxcapi_clone: 2696 Error creating
container dir for /home/yonsy/.local/share/lxc/x1/config
clone failed
====

Yonsy Solis
Serge Hallyn
2015-05-08 15:32:14 UTC
Permalink
On Thu, May 7, 2015 at 6:44 PM, Serge Hallyn
Post by Serge Hallyn
Well that's just perplexing.
Can you
strace -f -oxxx lxc-clone -s baseserver x1
and attach xxx to the reply? Probably won't work but worth a
try.
====
node :: ~ » strace -f -oxxx lxc-clone -s baseserver x1
newuidmap: write to uid_map failed: Operation not permitted
what does 'ls -l /usr/bin/newuidmap /usr/bin/newgidmap' show?
error mapping child
setgid: Invalid argument
lxc_container: lxccontainer.c: do_create_container_dir: 778 Failed
to chown container dir
lxc_container: lxccontainer.c: lxcapi_clone: 2696 Error creating
container dir for /home/yonsy/.local/share/lxc/x1/config
clone failed
====
Yonsy Solis
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Yonsy Solis
2015-05-08 15:52:18 UTC
Permalink
Post by Serge Hallyn
what does 'ls -l /usr/bin/newuidmap /usr/bin/newgidmap' show?
mode :: ~ » ls -l /usr/bin/newuidmap /usr/bin/newgidmap

1

-rwsr-xr-x 1 root root 33688 Feb 16 2014 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 33688 Feb 16 2014 /usr/bin/newuidmap


Yonsy Solis
Yonsy Solis
2015-05-10 18:04:39 UTC
Permalink
On Fri, May 8, 2015 at 10:32 AM, Serge Hallyn
Post by Serge Hallyn
what does 'ls -l /usr/bin/newuidmap /usr/bin/newgidmap' show?
mode :: ~ » ls -l /usr/bin/newuidmap /usr/bin/newgidmap
1 ↵
-rwsr-xr-x 1 root root 33688 Feb 16 2014 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 33688 Feb 16 2014 /usr/bin/newuidmap
this problem need more details from me.

1. I use btrfs for filesystem. every new container will get a subvolume
generated (and in /etc/fstab i have user_subvol_rm_allowed in my
filesystem to avoid problem when i remove the containers with
lxc-destroy)

2. the warning/error (!?) only happens when i do "lxc-clone -s base
clone" (snapshots) but not when i do "lxc-clone base clone" (normal
clones). in both cases the uid==100000 and gid==100000.

3. if according to https://help.ubuntu.com/14.04/serverguide/lxc.html
in "User namespaces", i set:

sudo usermod -v 100000-200000 -w 100000-200000 lazarus

then i can clone snapshots without warning/error message, with the
rootfs uid=100000 and gid=200000, but i can't remove (lxc-destroy) the
cloned containers now, i need to do a btrfs subvol delete to remove the
rootfs for this new cloned containers. In the previous settings i can
lxc-clone snapshots and lxc-destroy the containers without problems
(remember i have user_subvol_rm_allowed in my system), I need edit my
/etcsubuid and /etc/subgid files to recover my previous state.

so, with this new conditions that i have, this is a "normal" warning or
any error in process ?


Yonsy Solis
Serge Hallyn
2015-05-12 01:45:29 UTC
Permalink
Post by Yonsy Solis
On Fri, May 8, 2015 at 10:32 AM, Serge Hallyn
Post by Serge Hallyn
what does 'ls -l /usr/bin/newuidmap /usr/bin/newgidmap' show?
mode :: ~ » ls -l /usr/bin/newuidmap /usr/bin/newgidmap
1 ↵
-rwsr-xr-x 1 root root 33688 Feb 16 2014 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 33688 Feb 16 2014 /usr/bin/newuidmap
this problem need more details from me.
1. I use btrfs for filesystem. every new container will get a
subvolume generated (and in /etc/fstab i have user_subvol_rm_allowed
in my filesystem to avoid problem when i remove the containers with
lxc-destroy)
2. the warning/error (!?) only happens when i do "lxc-clone -s base
clone" (snapshots) but not when i do "lxc-clone base clone" (normal
clones). in both cases the uid==100000 and gid==100000.
3. if according to
https://help.ubuntu.com/14.04/serverguide/lxc.html in "User
sudo usermod -v 100000-200000 -w 100000-200000 lazarus
then i can clone snapshots without warning/error message, with the
rootfs uid=100000 and gid=200000, but i can't remove (lxc-destroy)
What do you mean here by 'gid=200000'?

You said in an earlier email that your lxc.conf only has
0:100000:65536 for both uid and gid mappings. But your first
email's error msg clearly showed mapping gid 200000. If you
weren't doing that on purpose with another lxc.id_map entry,
then there is something wonky going on inside lxc itself.

(also it might be worth reproducing this on a non-btrfs filesystem
using 'lxc-clone -s' using overlayfs)
Post by Yonsy Solis
the cloned containers now, i need to do a btrfs subvol delete to
remove the rootfs for this new cloned containers. In the previous
settings i can lxc-clone snapshots and lxc-destroy the containers
without problems (remember i have user_subvol_rm_allowed in my
system), I need edit my /etcsubuid and /etc/subgid files to recover
my previous state.
so, with this new conditions that i have, this is a "normal" warning
or any error in process ?
Yonsy Solis
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users
Continue reading on narkive:
Loading...