[lxc-users] How can a non-root user assign unique UID/GID range for LXC unprivileged containers ??

Discussion:

Yasoda Padala

2018-08-17 04:04:57 UTC

Hi All,
I have created non-root user on my Ubuntu (16.04) machine who creates
unprivileged LXC containers.
My user's uid/gid on the host is 1000.
and below are the entries in /etc/subuid & /etc/subgid files

/etc/subuid:
lxcuser:100000 65536

/etc/subgid:
lxcuser:100000:65536

My requirement is for each LXC unprivileged container, I should be able to
pick a UID/GID range.
For instance, I have created two LXC containers cont1 and cont2
in cont1 config, I have added the below id mappings
lxc.id_map = u 0 100000 10
lxc.id_map = g 0 100000 10

and in con2 config file, I have added the below id mappings
lxc.id_map = u 0 100020 10
lxc.id_map = g 0 100020 10

cont1 starts successfullly but cont2 gives the below error while starting
the container

lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 -
Permission denied - Failed to get real path for
"/home/oxpd/.local/share/lxc/uidranges/rootfs".

lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:setup_rootfs:1220 - Failed to mount rootfs
"/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".

lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'

lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn

lxc-start 20180817035100.984 ERROR lxc_start -
start.c:do_start:811 - Failed to setup container "uidranges".

lxc-start 20180817035100.984 ERROR lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)

lxc-start 20180817035100.985 ERROR lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container "uidranges".

lxc-start 20180817035106.524 ERROR lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.

lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container in
foreground mode.

lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.

My understanding is lxcuser who has been assigned with id range of
100000-165536 can assign a distinct subuid/gid ranges for each container
spawned by lxcuser.

is my understanding correct ?? I am not finding any reference documents for
custom user mappings for LXC unprivileged containers

Any help on this is highly appreciated.

Thanks & Regards,

Yasoda

Yasoda Padala

2018-08-20 07:13:31 UTC

Permalink

Hi All,
can someone please help me with the above query..

Thans & Regards,
Yasoda

Post by Yasoda Padala
Hi All,
I have created non-root user on my Ubuntu (16.04) machine who creates
unprivileged LXC containers.
My user's uid/gid on the host is 1000.
and below are the entries in /etc/subuid & /etc/subgid files
lxcuser:100000 65536
lxcuser:100000:65536
My requirement is for each LXC unprivileged container, I should be able to
pick a UID/GID range.
For instance, I have created two LXC containers cont1 and cont2
in cont1 config, I have added the below id mappings
lxc.id_map = u 0 100000 10
lxc.id_map = g 0 100000 10
and in con2 config file, I have added the below id mappings
lxc.id_map = u 0 100020 10
lxc.id_map = g 0 100020 10
cont1 starts successfullly but cont2 gives the below error while starting
the container
lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 -
Permission denied - Failed to get real path for
"/home/oxpd/.local/share/lxc/uidranges/rootfs".
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:setup_rootfs:1220 - Failed to mount rootfs
"/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
lxc-start 20180817035100.984 ERROR lxc_start -
start.c:do_start:811 - Failed to setup container "uidranges".
lxc-start 20180817035100.984 ERROR lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)
lxc-start 20180817035100.985 ERROR lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container "uidranges".
lxc-start 20180817035106.524 ERROR lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container in
foreground mode.
lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.
My understanding is lxcuser who has been assigned with id range of
100000-165536 can assign a distinct subuid/gid ranges for each container
spawned by lxcuser.
is my understanding correct ?? I am not finding any reference documents
for custom user mappings for LXC unprivileged containers
Any help on this is highly appreciated.
Thanks & Regards,
Yasoda

Xavier Gendre

2018-08-20 07:24:31 UTC

Permalink

Hi Yasoda,

only 10 ids is a bit short for a container. You should increase this
number to cover at least the system ids 0-999. Depending on the
distribution you run in your containers, you can be sharper and only
involve the needed ids but they all have to be covered.

Xavier

Post by Yasoda Padala
Hi All,
can someone please help me with the above query..
Thans & Regards,
Yasoda
Hi All,
I have created non-root user on my Ubuntu (16.04) machine who
creates unprivileged LXC containers.
My user's uid/gid on the host is 1000.
and below are the entries in /etc/subuid & /etc/subgid files
lxcuser:100000 65536
lxcuser:100000:65536
My requirement is for each LXC unprivileged container, I should be
able to pick a UID/GID range.
For instance, I have created two LXC containers cont1 and cont2
in cont1 config, I have added the below id mappings
lxc.id_map = u 0 100000 10
lxc.id_map = g 0 100000 10
and in con2 config file, I have added the below id mappings
lxc.id_map = u 0 100020 10
lxc.id_map = g 0 100020 10
cont1 starts successfullly but cont2 gives the below error while
starting the container
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:mount_rootfs:798 - Permission denied - Failed to get real
path for "/home/oxpd/.local/share/lxc/uidranges/rootfs".
      lxc-start 20180817035100.984 ERROR    lxc_conf -
conf.c:setup_rootfs:1220 - Failed to mount rootfs
"/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
      lxc-start 20180817035100.984 ERROR    lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'
      lxc-start 20180817035100.984 ERROR    lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
      lxc-start 20180817035100.984 ERROR    lxc_start -
start.c:do_start:811 - Failed to setup container "uidranges".
      lxc-start 20180817035100.984 ERROR    lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process
(expected sequence number 3)
      lxc-start 20180817035100.985 ERROR    lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container "uidranges".
      lxc-start 20180817035106.524 ERROR    lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.
      lxc-start 20180817035106.525 ERROR    lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container
in foreground mode.
      lxc-start 20180817035106.525 ERROR    lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained
by setting the --logfile and --logpriority options.
My understanding is lxcuser who has been assigned with id range of
100000-165536 can assign a distinct subuid/gid ranges for each
container spawned by lxcuser.
is my understanding correct ?? I am not finding any reference
documents for custom user mappings for LXC unprivileged containers
Any help on this is highly appreciated.
Thanks & Regards,
Yasoda
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users

Yasoda Padala

2018-08-21 10:07:49 UTC

Permalink

Hi Xavier,
Thank you for your response.
I even tried with bigger range, but still no luck.

in 1st container (cont1) config,
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
&
and in 2nd container (cont2) config:
lxc.id_map = u 0 101500 1000
lxc.id_map = g 0 101500 1000

get the same error

lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 -
Permission denied - Failed to get real path for
"/home/oxpd/.local/share/lxc/uidranges/rootfs".

lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:setup_rootfs:1220 - Failed to mount rootfs
"/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".

lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'

lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn

lxc-start 20180817035100.984 ERROR lxc_start -
start.c:do_start:811 - Failed to setup container "uidranges".

lxc-start 20180817035100.984 ERROR lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)

lxc-start 20180817035100.985 ERROR lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container "uidranges".

lxc-start 20180817035106.524 ERROR lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.

lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container in
foreground mode.

lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.

If I try something like below:
in 1st container (cont1) config,
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000

and in 2nd container (cont2) config:
lxc.id_map = u 0 100000 2000
lxc.id_map = g 0 100000 2000

it works, but on the host both the containers created by my lxcuser has
same userid which is 100000. Hence, it is not possible to identify each
container uniquely on host machine

My query is that, is there any way a non-root user can create various
containers and each container will have unique UserId on the host machine ??

Thanks for your help,
Yasoda

From: Xavier Gendre <***@gmail.com>
To: lxc-***@lists.linuxcontainers.org
Cc:
Bcc:
Date: Mon, 20 Aug 2018 09:24:31 +0200
Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID
range for LXC unprivileged containers ??
Hi Yasoda,

only 10 ids is a bit short for a container. You should increase this
number to cover at least the system ids 0-999. Depending on the
distribution you run in your containers, you can be sharper and only
involve the needed ids but they all have to be covered.

Xavier

Post by Yasoda Padala
Hi All,
I have created non-root user on my Ubuntu (16.04) machine who creates
unprivileged LXC containers.
My user's uid/gid on the host is 1000.
and below are the entries in /etc/subuid & /etc/subgid files
lxcuser:100000 65536
lxcuser:100000:65536
My requirement is for each LXC unprivileged container, I should be able
to pick a UID/GID range.
For instance, I have created two LXC containers cont1 and cont2
in cont1 config, I have added the below id mappings
lxc.id_map = u 0 100000 10
lxc.id_map = g 0 100000 10
and in con2 config file, I have added the below id mappings
lxc.id_map = u 0 100020 10
lxc.id_map = g 0 100020 10
cont1 starts successfullly but cont2 gives the below error while starting
the container
lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798
- Permission denied - Failed to get real path for
"/home/oxpd/.local/share/lxc/uidranges/rootfs".
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:setup_rootfs:1220 - Failed to mount rootfs
"/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
lxc-start 20180817035100.984 ERROR lxc_start -
start.c:do_start:811 - Failed to setup container "uidranges".
lxc-start 20180817035100.984 ERROR lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)
lxc-start 20180817035100.985 ERROR lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container "uidranges".
lxc-start 20180817035106.524 ERROR lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container in
foreground mode.
lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.
My understanding is lxcuser who has been assigned with id range of
100000-165536 can assign a distinct subuid/gid ranges for each container
spawned by lxcuser.
is my understanding correct ?? I am not finding any reference documents
for custom user mappings for LXC unprivileged containers
Any help on this is highly appreciated.
Thanks & Regards,
Yasoda

Dirk Geschke

2018-08-21 11:39:08 UTC

Permalink

Hi Yasoda,

Post by Yasoda Padala
get the same error
lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 -
Permission denied - Failed to get real path for
"/home/oxpd/.local/share/lxc/uidranges/rootfs".

--
+----------------------------------------------------------------------+
| Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
| Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
| ***@geschke-online.de / ***@lug-erding.de / ***@lug-erding.de |
+----------------------------------------------------------------------+

Xavier Gendre

2018-08-21 12:48:00 UTC

Permalink

Hi,

Post by Dirk Geschke
can you check the directory permissions for
/home/oxpd/.local/share/lxc/uidranges

As Dirk said, your problem could be related to permissions of the rootfs
itself and not to subordinate ids.

Post by Dirk Geschke
in 1st container (cont1) config,
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
&
lxc.id_map = u 0 101500 1000
lxc.id_map = g 0 101500 1000
get the same error

On my side, these configurations work fine together and the two
containers (created by a non-root user with template "download" and
distribution debian stretch amd64 for my tests) start without a trouble.
The rootfs of the containers c1 and c2 belongs to subuid 100000 and
101500, respectively, just as you want.

Xavier

Yasoda Padala

2018-08-22 10:15:29 UTC

Permalink

Thank You Dirk for your response.
It was a permission issue and as you suggested corrected the permissions to
have unprivileged user full access to container's rootfs and it started
working.

Thanks again,
Yasoda

---------- Forwarded message ----------

Date: Tue, 21 Aug 2018 15:37:49 +0530
Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID
range for LXC unprivileged containers ??
Hi Xavier,
Thank you for your response.
I even tried with bigger range, but still no luck.
in 1st container (cont1) config,
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
&
lxc.id_map = u 0 101500 1000
lxc.id_map = g 0 101500 1000
get the same error
lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 -
Permission denied - Failed to get real path for
"/home/oxpd/.local/share/lxc/uidranges/rootfs".
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:setup_rootfs:1220 - Failed to mount rootfs
"/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
lxc-start 20180817035100.984 ERROR lxc_start -
start.c:do_start:811 - Failed to setup container "uidranges".
lxc-start 20180817035100.984 ERROR lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)
lxc-start 20180817035100.985 ERROR lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container "uidranges".
lxc-start 20180817035106.524 ERROR lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container in
foreground mode.
lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.
in 1st container (cont1) config,
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 0 100000 2000
lxc.id_map = g 0 100000 2000
it works, but on the host both the containers created by my lxcuser has
same userid which is 100000. Hence, it is not possible to identify each
container uniquely on host machine
My query is that, is there any way a non-root user can create various
containers and each container will have unique UserId on the host machine ??
Thanks for your help,
Yasoda
Date: Mon, 20 Aug 2018 09:24:31 +0200
Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID
range for LXC unprivileged containers ??
Hi Yasoda,
only 10 ids is a bit short for a container. You should increase this
number to cover at least the system ids 0-999. Depending on the
distribution you run in your containers, you can be sharper and only
involve the needed ids but they all have to be covered.
Xavier

Post by Yasoda Padala

Post by Yasoda Padala
Hi All,
I have created non-root user on my Ubuntu (16.04) machine who creates
unprivileged LXC containers.
My user's uid/gid on the host is 1000.
and below are the entries in /etc/subuid & /etc/subgid files
lxcuser:100000 65536
lxcuser:100000:65536
My requirement is for each LXC unprivileged container, I should be able
to pick a UID/GID range.
For instance, I have created two LXC containers cont1 and cont2
in cont1 config, I have added the below id mappings
lxc.id_map = u 0 100000 10
lxc.id_map = g 0 100000 10
and in con2 config file, I have added the below id mappings
lxc.id_map = u 0 100020 10
lxc.id_map = g 0 100020 10
cont1 starts successfullly but cont2 gives the below error while
starting the container
lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798
- Permission denied - Failed to get real path for
"/home/oxpd/.local/share/lxc/uidranges/rootfs".
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:setup_rootfs:1220 - Failed to mount rootfs
"/home/oxpd/.local/share/lxc/uidranges/rootfs" onto
"/usr/lib/x86_64-linux-gnu/lxc" with options "(null)".
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges'
lxc-start 20180817035100.984 ERROR lxc_conf -
conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn
lxc-start 20180817035100.984 ERROR lxc_start -
start.c:do_start:811 - Failed to setup container "uidranges".
lxc-start 20180817035100.984 ERROR lxc_sync -
sync.c:__sync_wait:57 - An error occurred in another process (expected
sequence number 3)
lxc-start 20180817035100.985 ERROR lxc_start -
start.c:__lxc_start:1358 - Failed to spawn container "uidranges".
lxc-start 20180817035106.524 ERROR lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:368 - To get more details, run the container in
foreground mode.
lxc-start 20180817035106.525 ERROR lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by
setting the --logfile and --logpriority options.
My understanding is lxcuser who has been assigned with id range of
100000-165536 can assign a distinct subuid/gid ranges for each container
spawned by lxcuser.
is my understanding correct ?? I am not finding any reference documents
for custom user mappings for LXC unprivileged containers
Any help on this is highly appreciated.
Thanks & Regards,
Yasoda

---------- Forwarded message ----------
Date: Tue, 21 Aug 2018 13:39:08 +0200
Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID
range for LXC unprivileged containers ??
Hi Yasoda,

Post by Yasoda Padala
get the same error
lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798

Post by Yasoda Padala
Permission denied - Failed to get real path for
"/home/oxpd/.local/share/lxc/uidranges/rootfs".

can you check the directory permissions for
/home/oxpd/.local/share/lxc/uidranges
I think, they should own the LXC-root but the group should
be yours and mode 770, the group must have full access.
Otherwise the unprivileged user can't access his own
container configuration.
Best regards
Dirk
--
+----------------------------------------------------------------------+
| Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding |
| Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 |
+----------------------------------------------------------------------+
_______________________________________________
lxc-users mailing list
http://lists.linuxcontainers.org/listinfo/lxc-users