Creating instances in projects with raw.idmap

Hi,
I am trying to create an instance in a particular project in an incus cluster. I use the following command:

incus create --project my_project  images:fedora/40 f40-test

However I get the following:

Error: Failed instance creation: Failed checking if instance creation allowed: Use of low-level "raw.idmap" element 0 on profile "my_profile" of project "my_project" is forbidden

I am not sure whether this is an error or my mistake in configuring the project.
The profile configuration looks like this:

$ incus profile show my_profile 
config:
  raw.idmap: |-
    uid 1000-10000 1000-10000
    gid 202 202
    gid 128 128
    gid 5000-30000 5000-30000

And the project:

$ incus project show my_project
config:
  features.images: "false"
  features.profiles: "true"
  features.storage.buckets: "false"
  features.storage.volumes: "false"
  restricted: "true"
  restricted.cluster.groups: my_group
description: ""
name: my_project
used_by:
- /1.0/profiles/default?project=my_project
- /1.0/profiles/eso_env?project=my_project

The group cluster my_group has a few incus servers assigned to them.
Notice that if I do not specify the --project my_project flag the instance is created fine and the raw.idmap is applied properly.

Am I missing something?
Thanks!

You have restricted=true so all restrictions are on unless you disable them.

You’re going to want restricted.containers.lowlevel=allow to make raw.idmap work I believe.

Thanks for the answer!
Unfortunately I cannot set that property:

$ incus project set my_project restricted.containers.lowlevel=allow     
Error: Conflict detected when changing "restricted.containers.lowlevel" in project "my_project": Use of low-level "raw.idmap" element 0 on profile "my_profile" of project "my_project" is forbidden

Well, I managed to set the property using the option -p which according to the documentation “Sets the key as a project property”. I do not really understand the difference, since without the -p I thought I was setting the project properties…

$ incus project set -p my_project restricted.containers.lowlevel=allow     

And indeed the property does not appear in the incus project show output despite the previous command being successful.

Anyway, I still cannot start the instance, I get the same error.

Ok. I managed to set the property creating the project from scratch:

incus project create my_project --config features.images=false  --config features.storage.buckets=false  --config features.storage.volumes=false --config restricted=true --config restricted.cluster.groups=my_group --config restricted.containers.lowlevel=allow
incus profile copy my_profile my_profile --target-project my_project

However after that I still get the same error when creating the instance:

incus create --project my_project   images:fedora/40 f40-test
Creating f40-test
Error: Failed instance creation: Failed checking if instance creation allowed: Use of low-level "raw.idmap" element 0 on profile "my_profile" of project "my_project" is forbidden

I finally have managed after several iterations. I had to create the project from scratch as follows:

$ incus project create my_project --config features.images=false  \
--config features.storage.buckets=false  \
--config features.storage.volumes=false \
--config restricted=true \
--config restricted.cluster.groups=my_group \
--config restricted.containers.lowlevel=allow \
--config restricted.idmap.uid="1000-10000" \
--config restricted.idmap.gid="202,128,5000-30000" \
--config restricted.devices.disk=allow
$ incus profile copy my_profile my_profile --target-project my_project

It seems that despite the restricted.containers.lowlevel=allow option I still need to specify the uid and gid’s in the project properties. It is a bit inconvenient since I need to repeat what is already in the profile, but ok, at least it is working now.

1 Like