Changing user mapping

sbug · May 25, 2024, 10:40am

I have changed my user on my host system.
This made it get a new group (1002 instead of 1000).

Now I wanted to remap my incus container to use the new gid, but I get an error.

lxc mastodon 20240525102501.964 ERROR    conf - ../src/lxc/conf.c:lxc_map_ids:3704 - newgidmap failed to write mapping "newgidmap: gid range [1000-1001) -> [1002-1003) not allowed": newgidmap 51240 0 165536 1000 1000 1002 1 1001 166537 9999000
lxc mastodon 20240525102501.964 ERROR    start - ../src/lxc/start.c:lxc_spawn:1788 - Failed to set up id mapping.
lxc mastodon 20240525102501.964 ERROR    lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:878 - Received container state "ABORTING" instead of "RUNNING"
lxc mastodon 20240525102501.964 ERROR    start - ../src/lxc/start.c:__lxc_start:2107 - Failed to spawn container "mastodon"
lxc mastodon 20240525102501.964 WARN     start - ../src/lxc/start.c:lxc_abort:1036 - Processen finns inte - Failed to send SIGKILL via pidfd 17 for process 51240
lxc 20240525102501.982 ERROR    af_unix - ../src/lxc/af_unix.c:lxc_abstract_unix_recv_fds_iov:218 - Förbindelse borttagen av partnern - Failed to receive response
lxc 20240525102501.983 ERROR    commands - ../src/lxc/commands.c:lxc_cmd_rsp_recv_fds:128 - Failed to receive file descriptors for command "get_init_pid"

I tried to change the lxd entry in /etc/subgid to point to 1002 and then restart incus but that didn’t help.

I had to change back to use group 1000.

What am I doing wrong?

stgraber · May 27, 2024, 3:18pm

What matters in /etc/subuid and /etc/subgid are the entries for the root user, the others don’t impact Incus at all.

sbug · May 27, 2024, 5:03pm

Hum ok.

What am I doing wrong then?

root@debian:~# id arutaz
uid=1000(arutaz) gid=1002(arutaz) grupper=1002(arutaz),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),111(bluetooth),113(lpadmin),116(scanner),126(davfs2)
root@debian:~# printf "uid 1000 1000\ngid 1002 1000" | incus config set labb12 raw.idmap -
root@debian:~# incus start labb12
Error: Failed to run: /usr/libexec/incus/incusd forkstart labb12 /var/lib/incus/containers /run/incus/labb12/lxc.conf: exit status 1
Try `incus info --show-log labb12` for more info
root@debian:~# incus info --show-log labb12
Name: labb12
Status: STOPPED
Type: container
Architecture: x86_64
Created: 2024/05/23 21:35 CEST
Last Used: 2024/05/27 18:59 CEST

Log:

lxc labb12 20240527165938.405 ERROR    conf - ../src/lxc/conf.c:lxc_map_ids:3704 - newgidmap failed to write mapping "newgidmap: gid range [1000-1001) -> [1002-1003) not allowed": newgidmap 3710113 0 165536 1000 1000 1002 1 1001 166537 9999000
lxc labb12 20240527165938.405 ERROR    start - ../src/lxc/start.c:lxc_spawn:1788 - Failed to set up id mapping.
lxc labb12 20240527165938.405 ERROR    lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:878 - Received container state "ABORTING" instead of "RUNNING"
lxc labb12 20240527165938.406 ERROR    start - ../src/lxc/start.c:__lxc_start:2107 - Failed to spawn container "labb12"
lxc labb12 20240527165938.406 WARN     start - ../src/lxc/start.c:lxc_abort:1036 - Processen finns inte - Failed to send SIGKILL via pidfd 17 for process 3710113
lxc 20240527165938.421 ERROR    af_unix - ../src/lxc/af_unix.c:lxc_abstract_unix_recv_fds_iov:218 - Förbindelse borttagen av partnern - Failed to receive response
lxc 20240527165938.421 ERROR    commands - ../src/lxc/commands.c:lxc_cmd_rsp_recv_fds:128 - Failed to receive file descriptors for command "get_init_pid"

The user arutaz has group id 1002.

If I instead do

 printf "uid 1000 1000\ngid 1000 1000" | incus config set labb12 raw.idmap -

(using group id 1000) it works.

stgraber · May 28, 2024, 2:19am

You haven’t shown the content of your /etc/subuid and /etc/subgid

sbug · May 28, 2024, 3:20pm

Here is the content of those files

root@debian:~# cat /etc/subuid
lxd:1000:1
root:1000:1
sbug:100000:65536
_lxd:165536:10000001
root:165536:10000001
root@debian:~# cat /etc/subgid
lxd:1000:1
root:1000:1
sbug:100000:65536
_lxd:165536:10000001
root:165536:10000001
root@debian:~#

(I followed this https://ubuntu.com/blog/custom-user-mappings-in-lxd-containers for the “Direct user/group mapping” some time ago)

stgraber · May 28, 2024, 5:42pm

Okay, so the error is correct.

subgid clearly only allows root:1000:1 when you want to map 1002 instead, so you’d need root:1002:1

sbug · May 28, 2024, 6:12pm

Ah I see.

And I can only have one line for root, or can I have multiple to allow different groups to different containers?

stgraber · May 28, 2024, 6:17pm

You can have multiple entries, that’s fine.

sbug · May 28, 2024, 6:23pm

Ok. Thank you so much for your time