Help with idmap & subuid/subgid please

Aida · August 2, 2022, 7:09pm

I looked at these two threads:

However didn’t really spot anything there that helped. My Arch linux system is using 5.18.14-arch1-1 #1 SMP PREEMPT_DYNAMIC

I’ve spent two days trying to figure this out and gotten no closer.

I made sure these were set

kernel.unprivileged_userns_clone = 1
user.max_user_namespaces = 256484

and I added:

sudo tee -a /etc/lxc/default.conf <<EOF
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
EOF

Restarted LXD, still giving me that error.

I tried with:

printf "both 1000 1000" | sudo lxc config set docker-container raw.idmap -

ERROR conf - …/src/lxc/conf.c:lxc_map_ids:3672 - newuidmap failed to write mapping “newuidmap: uid range [1000-1001) → [1000-1001) not allowed”: newuidmap 82353 0 100000 1000 1000 1000 1 1001 101001 64535

# cat /etc/subuid
root:100000:65536
lxd:100000:65536
one:165536:65536
two:231072:65536
three:296608:65536
four:362144:65536

# cat /etc/subgid
root:100000:65536
lxd:100000:65536
one:165536:65536
two:231072:65536
three:296608:65536
four:362144:65536
shared:362145:1

Aida · August 3, 2022, 5:55am

So I think the issue is this Newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed"

Using this configuration:

lxc.idmap = u 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = u 1001 101001 64535
lxc.idmap = g 0 100000 1000
lxc.idmap = g 1000 1000 1
lxc.idmap = g 1001 101001 64535

I was able to pass in the “one” user to “ubuntu”.

I also made my subuid and subgid

root:1000:1
root:100000:65536
lxd:100000:65536

Now what I’m not sure about is users two, three and four and that shared group.

Aida · August 3, 2022, 7:39am

So after days of pain i finally figured it out. I came across this tool https://github.com/ddimick/proxmox-lxc-idmapper

For multiple users and the shared group I needed:

$ cat /etc/subuid
root:1000:1
root:1001:1
root:1002:1
root:1003:1
root:100000:65536
lxd:100000:65536

root:1000:1
root:1001:1
root:1002:1
root:1003:1
root:1004:1
root:100000:65536
lxd:100000:65536

Then in /etc/lxc/default.conf I needed:

lxc.idmap = u 0 100000 1000
lxc.idmap = g 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 101001 0
lxc.idmap = g 1001 101001 0
lxc.idmap = u 1001 1001 1
lxc.idmap = g 1001 1001 1
lxc.idmap = u 1002 101002 0
lxc.idmap = g 1002 101002 0
lxc.idmap = u 1002 1002 1
lxc.idmap = g 1002 1002 1
lxc.idmap = u 1003 101003 0
lxc.idmap = g 1003 101003 0
lxc.idmap = u 1003 1003 1
lxc.idmap = g 1003 1003 1
lxc.idmap = u 1004 101004 64532
lxc.idmap = g 1004 1004 1
lxc.idmap = g 1005 101005 64532

And finally:

printf "both 1003 1003\ngid 1004 1004\n" | sudo lxc config set c1 raw.idmap -