Unable to create unprivileged container with one uid/gid passed from host

6 views
Skip to first unread message

Kees van Vloten

unread,
Dec 5, 2021, 3:21:41 PM12/5/21
to lxc-...@lists.linuxcontainers.org
Hi Everybody,


I am trying to create an unprivileged container as root (and running it
from the root account) that has one uid/gid (990/986) passed into the
container. The plan is to mount a directory later, so files get the
right uid/gid on the host filesystem.

config:

lxc.start.auto=1
lxc.net.0.type=veth
lxc.net.0.link=br0
lxc.net.0.flags=up
lxc.group=samba_containers
lxc.start.order=3
lxc.start.delay=5
#lxc.mount.entry=/srv/mail srv/mail none rbind,rslave,rw,create=dir 0 0
lxc.uts.name=strauss
lxc.net.0.ipv4.address=192.168.10.5/24
lxc.net.0.ipv4.gateway=192.168.10.2
lxc.include=/etc/lxc/default.conf
lxc.include=/usr/share/lxc/config/debian.common.conf
lxc.include=/usr/share/lxc/config/debian.userns.conf
lxc.idmap=u 0 558752 990
lxc.idmap=g 0 558752 986
lxc.apparmor.profile = unconfined
# lxc.mount.auto = proc:mixed sys:ro cgroup:mixed
lxc.mount.auto = proc:rw sys:mixed cgroup:mixed
lxc.idmap=u 990 990 1
lxc.idmap=g 986 986 1
lxc.idmap=u 991 559743 64544
lxc.idmap=g 987 559739 64548

/etc/subuid:

root:558752:65536
vmail:990:1

/etc/subgid:

root:558752:65536
vmail:986:1

Create command (run as root)

lxc-create --name strauss --config /tmp/ansible.o7ss6y2w --template
download --logpriority INFO --bdev dir --dir
/srv/container_lxc/strauss/rootfs -- -d debian -r bullseye -a amd64
--keyserver hkp://keyserver.ubuntu.com

Error:

lxc 20211205200858.238 ERROR    conf - ../lxc/conf.c:lxc_map_ids:2865 -
newuidmap failed to write mapping "newuidmap: uid range [990-991) ->
[990-991) not allowed": newuidmap 314304 0 558752 990 990 990 1 991
559743 64544 65535 0 1
Failed to write id mapping for child process
lxc 20211205200858.238 ERROR    utils -
../lxc/utils.c:lxc_setgroups:1417 - Operation not permitted - Failed to
setgroups()
lxc 20211205200858.238 ERROR    utils -
../lxc/utils.c:lxc_switch_uid_gid:1395 - Invalid argument - Failed to
switch to gid 0
lxc-create: strauss: lxccontainer.c: create_run_template: 1616 Failed to
create container from template
lxc-create: strauss: tools/lxc_create.c: main: 319 Failed to create
container strauss

The host and the container are Debian Bullseye, which has lxc 4.0.6,
lxcfs 4.0.7

What did I miss in the configuration?

- Kees




Kees van Vloten

unread,
Dec 7, 2021, 10:24:44 AM12/7/21
to lxc-...@lists.linuxcontainers.org
Hi Everybody,


A short update: I found the issue: as most errors this is a user-error :-)

The subids in /etc/subuid and /etc/subgid were not all assigned to root.

- Kees
Reply all
Reply to author
Forward
0 new messages