If you can grab the source of LXD, search for this error message and see whether the check is a blanket check (i.e. LXD just does not like IDs bigger than 65535).
I am not familiar with SSSD; does the /etc/passwd of the user account contain that UID?
PS SSSD here is similar to winbind’s idmap_rid - it generates an ID based on the active directory sid of the user (and ends up with quite large IDs). /etc/passwd does not contain any entries for the user/UID
The code is OK. I suppose the issue is with the 1000, which refers to the GID on the host, not the UID in the container. Try to replace the 1000 with the appropriate value and check again.
That will put your container past your host used uid/gid.
I’m a bit surprised of you getting such a high uid/gid through SSSD though, in my case, they’re in the 200000 -> 500000 range so far below LXD’s first uid/gid.
I did not realise that - thanks. I’ve set it to “raw.idmap: both 131204108 131200514” in the profile now (user’s UID and “domain users” GID), but still get the same error. I tried restarting snap.lxd.daemon as well.
In that case, you can avoid using idmap, and configure .Xauthority instead.
Your host’s X server, if you are using Ubuntu, has a configuration that allows access to the X11 Unix socket as long as the UID of the process that performs the access, is the same as the UID of the logged-in user. Other distributions may not have that.
Therefore, by using idmap, we are tricking the host’s X Server by making the container access the Unix socket with the same UID as the logged-in user on the host.
Since you are getting an error, you can fallback to the security mechanism, using the .Xauthority file.
The logged-in user on the host has a .Xauthority file that has inside a secret key (a cookie). Therefore, you can share this .Xauthority file to the container, and processes in the container will be now allowed to access the X server on the host.
Thanks @stgraber and @simos (and sorry if some of my questions are a bit naive!) - i can now launch containers with my “gui” profile, but its not finding display 0, this is progress at least
Here’s my attempt at running glxgears with this profile:
lxc exec ubukeybase – sudo --login --user ubuntu
To run a command as administrator (user “root”), use "sudo ".
See “man sudo_root” for details.
ubuntu@ubukeybase:~$ glxgears
No protocol specified
Error: couldn't open display :0
If i swtich the profile to raw.idmap: both 131204108 1000 it runs xcalc ok (glxgears complains but i think im getting closer)
PS @simos is this info correct? We discussed that the “1000” in my idmap was for the host GID, not the container, but from https://blog.simos.info/how-to-easily-run-graphics-accelerated-gui-apps-in-lxd-containers-on-your-ubuntu-desktop/ The raw.idmap has a value that refers to the sets of $UID/$GID of the non-root user on the host and in the container. By default on Ubuntu the default ID for the first non-root account is 1000 (both user ID and group ID). This is necessary for the bind-mounting of sockets of the host to the container. If you need to change it, here is how to do it. Because we use the both keyword, the first number (i.e. 1000) is the $UID/$GID on the host, and the second number (i.e. 1001) is the $UID/$GID of the non-user account in the container.
Thanks for this - trying to make it work now. If i remove the idmap part, i see the .Xauthority file as owned by the host UID (the big uid), with the container/ubuntu user not having read access, is there a trick to this?
If you are using the snap package of LXD (channel stable), you can try the latest guide at https://blog.simos.info/running-x11-software-in-lxd-containers/
Here, we use LXD proxy devices, which means that we do not need IDMAPs anymore. The proxy devices deal with the appropriate IDs. That is, instead of bind-mounting the necessary files from the host to the container, you will be using proxy devices to expose them to the container.
If you managed to get xclock to work in the container, it means that X is working OK. If glxgears is not working, then this is an issue with hardware acceleration (GLX), and needs other steps (i.e. which GPU and driver?).
PS pay careful attention to the instructions, some UIDs in the profile refer to container, and some to guest, if you’re not UID 1000 in the host, and running on DISPLAY :1 you’ll need to edit the examples