Re: [lxc-users] uid range not allowed
Sorry for the duplicate - I had earlier posted to the list from the
wrong email identity and presumed it would be rejected as coming from a
non-subscriber but looks like it has just been waved through now.
The immediate problem was solved - I needed to add an additional
"chris:1000:1" to /etc/sub{u,g}id
chris
On 23/07/16 17:08, Chris Willing wrote:
I'm following the guide to run X apps in a container at:
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
As a starting point, I have a normal unprivileged container running
perfectly. However when I change the id_map configuration to look like:
lxc.id_map = u 0 10 1000
lxc.id_map = g 0 10 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
the container fails to start, claiming:
chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...
Sure enough, if I comment out the lines:
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
the container runs again - but it's that particular mapping that is
needed in this case.
I set up a log file to priority DEBUG but no extra clues there - it just
says the same thing.
I'm using:
lxc-2.0.1
cgmanager-0.39
with container config file attached.
Can anyone shed light on this problem please?
chris
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] uid range not allowed
I'm following the guide to run X apps in a container at:
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
As a starting point, I have a normal unprivileged container running
perfectly. However when I change the id_map configuration to look like:
lxc.id_map = u 0 10 1000
lxc.id_map = g 0 10 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
the container fails to start, claiming:
chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...
Sure enough, if I comment out the lines:
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
the container runs again - but it's that particular mapping that is
needed in this case.
I set up a log file to priority DEBUG but no extra clues there - it just
says the same thing.
I'm using:
lxc-2.0.1
cgmanager-0.39
with container config file attached.
Can anyone shed light on this problem please?
chris
# Template used to create this container:
/usr/share/lxc/templates/lxc-spbuilder-1402
# Parameters passed to the template: -a x86_64
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.name = eth0
lxc.network.hwaddr = 00:16:3e:d9:8e:4a
lxc.rootfs = /home/chris/.local/share/lxc/x11-test-x86_64/rootfs
lxc.rootfs.backend = dir
lxc.utsname = x11-test-x86_64
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir
lxc.mount.entry = /dev/video0 dev/video0 none bind,optional,create=file
#lxc.hook.pre-start = /home/chris/.local/share/lxc/precise-gui/setup-pulse.sh
lxc.mount.entry = /scratch/PKG/SBo/slackbuilds mnt/slackbuilds none
bind,ro,create=dir 0 0
#lxc.mount.entry = /var/cache/spbuilder var/cache/spbuilder none
bind,create=dir 0 0
lxc.mount.auto = proc:mixed sys:ro cgroup
lxc.tty = 4
lxc.pts = 1024
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# we don't trust even the root user in the container, better safe than sorry.
# comment out only if you know what you're doing.
lxc.cap.drop = sys_module mknod mac_override mac_admin sys_time setfcap setpcap
# you can try also this alternative to the line above, whatever suits you
better.
#lxc.cap.drop=sys_admin
#lxc.id_map = u 0 10 65536
#lxc.id_map = g 0 10 65536
lxc.id_map = u 0 10 1000
lxc.id_map = g 0 10 1000
#lxc.id_map = u 1000 1000 1
#lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] uid range not allowed
Quoting Christoph Willing (chris.will...@iinet.net.au): > On 23/07/16 18:16, Andreas Vögele wrote: > >Christoph Willing writes: > > > >>I'm following the guide to run X apps in a container at: > >> https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ > >> > >>As a starting point, I have a normal unprivileged container running > >>perfectly. However when I change the id_map configuration to look > >>like: > >>lxc.id_map = u 0 10 1000 > >>lxc.id_map = g 0 10 1000 > >>lxc.id_map = u 1000 1000 1 > >>lxc.id_map = g 1000 1000 1 > >>lxc.id_map = u 1001 101001 64535 > >>lxc.id_map = g 1001 101001 64535 > >> > >>the container fails to start, claiming: > >> > >>chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F > >>newuidmap: uid range [1000-1001) -> [1000-1001) not allowed > >>lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping > >>[...] > >>Can anyone shed light on this problem please? > > > >You've got to add the id to /etc/subuid and /etc/subgid. Example: > > > >chris:1000:1 > >chris:10:65536 > > Thanks Andreas, > > I had the second line but not the first. The container starts > without error now. > > chris Note that the 1000 throughout here should be replaced by your real uid and gid. If you just use '1000' but that's not your uid/gid, then you letting your user own someone else's uid/gid. Which means any trojan that runs as you has more privilege than you thought. ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] uid range not allowed
On 23/07/16 18:38, rob e wrote: On 23/07/16 17:49, Christoph Willing wrote: I'm following the guide to run X apps in a container at: https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ As a starting point, I have a normal unprivileged container running perfectly. However when I change the id_map configuration to look like: lxc.id_map = u 0 10 1000 lxc.id_map = g 0 10 1000 lxc.id_map = u 1000 1000 1 lxc.id_map = g 1000 1000 1 lxc.id_map = u 1001 101001 64535 lxc.id_map = g 1001 101001 64535 the container fails to start, claiming: chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F newuidmap: uid range [1000-1001) -> [1000-1001) not allowed lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping ... ... Sure enough, if I comment out the lines: lxc.id_map = u 1000 1000 1 lxc.id_map = g 1000 1000 1 the container runs again - but it's that particular mapping that is needed in this case. I set up a log file to priority DEBUG but no extra clues there - it just says the same thing. I'm using: lxc-2.0.1 cgmanager-0.39 with container config file attached. Can anyone shed light on this problem please? chris ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users umm .. I have exactly that setup (user and group id mapping) and it works for me. It's what I use for desktop integration. Did you change the /etc/sub* files as per the following ? https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ [snip] Yes, from that site I already had chris:10:65536 What was missing was a chris:1000:1 entry, so now I have: chris:1000:1 chris:10:65536 which is allowing container startup without any error. I see you have a root:1000:1 entry - that didn't work for me. I guess you're running yours as privileged containers? chris And the /etc/sub* files (modified to protect the innocent ...) /etc/subuid :10:65536 :165536:65536 root:165536:65536 :231072:65536 root:1000:1 /etc/subgid :10:65536 :165536:65536 root:165536:65536 :231072:65536 root:1000:1 ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] uid range not allowed
On 23/07/16 18:16, Andreas Vögele wrote: Christoph Willing writes: I'm following the guide to run X apps in a container at: https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ As a starting point, I have a normal unprivileged container running perfectly. However when I change the id_map configuration to look like: lxc.id_map = u 0 10 1000 lxc.id_map = g 0 10 1000 lxc.id_map = u 1000 1000 1 lxc.id_map = g 1000 1000 1 lxc.id_map = u 1001 101001 64535 lxc.id_map = g 1001 101001 64535 the container fails to start, claiming: chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F newuidmap: uid range [1000-1001) -> [1000-1001) not allowed lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping [...] Can anyone shed light on this problem please? You've got to add the id to /etc/subuid and /etc/subgid. Example: chris:1000:1 chris:10:65536 Thanks Andreas, I had the second line but not the first. The container starts without error now. chris ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] uid range not allowed
On 23/07/16 17:49, Christoph Willing wrote: I'm following the guide to run X apps in a container at: https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ As a starting point, I have a normal unprivileged container running perfectly. However when I change the id_map configuration to look like: lxc.id_map = u 0 10 1000 lxc.id_map = g 0 10 1000 lxc.id_map = u 1000 1000 1 lxc.id_map = g 1000 1000 1 lxc.id_map = u 1001 101001 64535 lxc.id_map = g 1001 101001 64535 the container fails to start, claiming: chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F newuidmap: uid range [1000-1001) -> [1000-1001) not allowed lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping ... ... Sure enough, if I comment out the lines: lxc.id_map = u 1000 1000 1 lxc.id_map = g 1000 1000 1 the container runs again - but it's that particular mapping that is needed in this case. I set up a log file to priority DEBUG but no extra clues there - it just says the same thing. I'm using: lxc-2.0.1 cgmanager-0.39 with container config file attached. Can anyone shed light on this problem please? chris ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users umm .. I have exactly that setup (user and group id mapping) and it works for me. It's what I use for desktop integration. Did you change the /etc/sub* files as per the following ? https://www.stgraber.org/2014/01/17/lxc-1-0-unprivileged-containers/ I promise it works here. This is the config for one of my most used containers # Template used to create this container: /usr/share/lxc/templates/lxc-download # Parameters passed to the template: -d ubuntu -r xenial -a amd64 # For additional config options, please look at lxc.container.conf(5) # Uncomment the following line to support nesting containers: #lxc.include = /usr/share/lxc/config/nesting.conf # (Be aware this has security implications) # Distribution configuration lxc.include = /usr/share/lxc/config/ubuntu.common.conf lxc.include = /usr/share/lxc/config/ubuntu.userns.conf lxc.arch = x86_64 # Container specific configuration # --- Replaced ---# #lxc.id_map = u 0 10 65536 #lxc.id_map = g 0 10 65536 # --- With ---#Permission denied - lxc.id_map = u 0 10 1000 lxc.id_map = g 0 10 1000 lxc.id_map = u 1000 1000 1 lxc.id_map = g 1000 1000 1 lxc.id_map = u 1001 101001 64535 lxc.id_map = g 1001 101001 64535 # # lxc.rootfs = /mnt/..//rootfs lxc.rootfs.backend = dir lxc.utsname = # Network configuration lxc.network.type = veth lxc.network.link = lxcbr0 lxc.network.flags = up lxc.network.hwaddr = xx:xx:xx:xx:xx:xx # === My Additions == # ## Set resource limits lxc.cgroup.cpuset.cpus = 1-3 lxc.cgroup.cpu.shares = 256 lxc.cgroup.memory.limit_in_bytes = 4G lxc.cgroup.blkio.weight = 500 lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir # lxc.mount.entry = /dev/video0 dev/video0 none bind,optional,create=file # NO CAMERA lxc.mount.entry = /dev/fuse dev/fuse none bind,optional,create=file #lxc.hook.pre-start = /mnt/.//setup-pulse.sh lxc.hook.pre-start = /mnt/./lxc-devsetup lxc.aa_profile = lxc-container-default-with-mounting ## lxc.cgroup.devices.allow = typeofdevice majornumber:minornumber rwm ... in this case /dev/sr0 (EXCLUDES /dev/sr1) lxc.cgroup.devices.allow = b 11:0 rwm ## and add /dev/sr1 lxc.cgroup.devices.allow = b 11:1 rwm # Fuse (user mounted filesystem facilitator), character device at 10:29 (use ls -la /dev/fuse) lxc.cgroup.devices.allow = c 10:29 rwm # End Change For Xenial == # And the /etc/sub* files (modified to protect the innocent ...) /etc/subuid :10:65536 :165536:65536 root:165536:65536 :231072:65536 root:1000:1 /etc/subgid :10:65536 :165536:65536 root:165536:65536 :231072:65536 root:1000:1 ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
Re: [lxc-users] uid range not allowed
Christoph Willing writes: > I'm following the guide to run X apps in a container at: > https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ > > As a starting point, I have a normal unprivileged container running > perfectly. However when I change the id_map configuration to look > like: > lxc.id_map = u 0 10 1000 > lxc.id_map = g 0 10 1000 > lxc.id_map = u 1000 1000 1 > lxc.id_map = g 1000 1000 1 > lxc.id_map = u 1001 101001 64535 > lxc.id_map = g 1001 101001 64535 > > the container fails to start, claiming: > > chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F > newuidmap: uid range [1000-1001) -> [1000-1001) not allowed > lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping > [...] > Can anyone shed light on this problem please? You've got to add the id to /etc/subuid and /etc/subgid. Example: chris:1000:1 chris:10:65536 Kind regards, Andreas ___ lxc-users mailing list lxc-users@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-users
[lxc-users] uid range not allowed
I'm following the guide to run X apps in a container at:
https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/
As a starting point, I have a normal unprivileged container running
perfectly. However when I change the id_map configuration to look like:
lxc.id_map = u 0 10 1000
lxc.id_map = g 0 10 1000
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
the container fails to start, claiming:
chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F
newuidmap: uid range [1000-1001) -> [1000-1001) not allowed
lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping
...
...
Sure enough, if I comment out the lines:
lxc.id_map = u 1000 1000 1
lxc.id_map = g 1000 1000 1
the container runs again - but it's that particular mapping that is
needed in this case.
I set up a log file to priority DEBUG but no extra clues there - it just
says the same thing.
I'm using:
lxc-2.0.1
cgmanager-0.39
with container config file attached.
Can anyone shed light on this problem please?
chris
# Template used to create this container:
/usr/share/lxc/templates/lxc-spbuilder-1402
# Parameters passed to the template: -a x86_64
# For additional config options, please look at lxc.container.conf(5)
# Uncomment the following line to support nesting containers:
#lxc.include = /usr/share/lxc/config/nesting.conf
# (Be aware this has security implications)
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = lxcbr0
lxc.network.name = eth0
lxc.network.hwaddr = 00:16:3e:d9:8e:4a
lxc.rootfs = /home/chris/.local/share/lxc/x11-test-x86_64/rootfs
lxc.rootfs.backend = dir
lxc.utsname = x11-test-x86_64
lxc.mount.entry = /dev/dri dev/dri none bind,optional,create=dir
lxc.mount.entry = /dev/snd dev/snd none bind,optional,create=dir
lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir
lxc.mount.entry = /dev/video0 dev/video0 none bind,optional,create=file
#lxc.hook.pre-start = /home/chris/.local/share/lxc/precise-gui/setup-pulse.sh
lxc.mount.entry = /scratch/PKG/SBo/slackbuilds mnt/slackbuilds none
bind,ro,create=dir 0 0
#lxc.mount.entry = /var/cache/spbuilder var/cache/spbuilder none
bind,create=dir 0 0
lxc.mount.auto = proc:mixed sys:ro cgroup
lxc.tty = 4
lxc.pts = 1024
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# we don't trust even the root user in the container, better safe than sorry.
# comment out only if you know what you're doing.
lxc.cap.drop = sys_module mknod mac_override mac_admin sys_time setfcap setpcap
# you can try also this alternative to the line above, whatever suits you
better.
#lxc.cap.drop=sys_admin
#lxc.id_map = u 0 10 65536
#lxc.id_map = g 0 10 65536
lxc.id_map = u 0 10 1000
lxc.id_map = g 0 10 1000
#lxc.id_map = u 1000 1000 1
#lxc.id_map = g 1000 1000 1
lxc.id_map = u 1001 101001 64535
lxc.id_map = g 1001 101001 64535
___
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users
