Re: [lxc-users] uid range not allowed

Sat, 23 Jul 2016 03:05:03 -0700 

On 23/07/16 18:38, rob e wrote:



On 23/07/16 17:49, Christoph Willing wrote:

I'm following the guide to run X apps in a container at:
      https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/

As a starting point, I have a normal unprivileged container running
perfectly. However when I change the id_map configuration to look like:
lxc.id_map = u 0 100000 1000
lxc.id_map = g 0 100000 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535

the container fails to start, claiming:

chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...

Sure enough, if I comment out the lines:
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1

the container runs again - but it's that particular mapping that is
needed in this case.

I set up a log file to priority DEBUG but no extra clues there - it
just says the same thing.

I'm using:
    lxc-2.0.1
    cgmanager-0.39
with container config file attached.

Can anyone shed light on this problem please?

chris




_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

umm .. I have exactly that setup (user and group id mapping) and it
works for me. It's what I use for desktop integration. Did you change
the /etc/sub* files  as per the following ?
https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/


[snip]

Yes, from that site I already had chris:100000:65536

What was missing was a chris:1000:1 entry, so now I have:
    chris:1000:1
    chris:100000:65536

which is allowing container startup without any error.


I see you have a root:1000:1 entry - that didn't work for me. I guess 
you're running yours as privileged containers?


chris



And the /etc/sub* files (modified to protect the innocent ...)
/etc/subuid

    <me>:100000:65536
    <lxd>:165536:65536
    root:165536:65536
    <someone>:231072:65536
    root:1000:1

/etc/subgid

    <me>:100000:65536
    <lxd>:165536:65536
    root:165536:65536
    <someone>:231072:65536
    root:1000:1




_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users





















					Reply via email to