How to map multiple uids for privileged container

LXD
1
  1. Can I map container uid to host uid for privileged container?
  2. Is it possible to map multiple container uids to a single host uid?

I’m trying to containerize Android and faced a seg fault in audio library.
While investigating, I found some odd uids are listed with ps command in host side as below.
It seems that uid/gid mapping is not reflected to my test.
Container uids are system(1000), graphics(1003), media(1013), and keystore(1017) which are shown as same as in both of host and container.

How can I map a container uid to a host uid in privileged container?
or in un-privileged container with direct uid/gid mapping like hole punching?

I appreciate any comment.

mslee     1139   906 10 08:54 ?        00:00:00 /system/bin/surfaceflinger
1019      3176  2929  0 07:35 ?        00:00:00 /system/bin/drmserver
root      3179  2929  0 07:35 ?        00:00:00 /system/bin/installd
1017      3180  2929  0 07:35 ?        00:00:00 /system/bin/keystore /data/misc/
root      3181  2929  0 07:35 ?        00:00:00 /system/bin/systemcontrol
root      3183  2929  0 07:35 ?        00:00:00 /system/bin/pppoe_wrapper
root      3184  2929  0 07:35 ?        00:00:02 zygote
mslee     3185  2929  0 07:35 ?        00:00:00 /system/bin/gatekeeperd /data/mi
root      3186  2929  0 07:35 ?        00:00:00 /system/xbin/perfprofd
root      3187  2929  0 07:35 ?        00:00:00 /sbin/adbd --root_seclabel=u:r:s
1003      3193  2929  2 07:35 ?        00:00:18 /system/bin/bootanimation
mslee     3340  3184  1 07:35 ?        00:00:08 system_server

This is a part of container config.

architecture: aarch64
config:
  boot.autostart: "false"
  raw.idmap: |
    both 1000 1000
    both 1000 1003
    both 1000 1013
    both 1000 1017
    both 1000 1036
    both 1000 2000
  raw.lxc: |
    lxc.init_cmd=/bin/init

These are /etc/{subuid, subgid} files.

mslee@odroid64:~$ cat /etc/subuid
lxd:100000:65536
root:100000:65536
mslee@odroid64:~$ cat /etc/subgid
lxd:100000:65536
root:100000:65536
2

The very definition of privileged containers is that there is no user namespace and uid/gid mapping in place. So it’s not possible for you to both run a privileged container and have a number of uid/gid mapped to different values.

1 Like
3

Thank you for your comment.

I suspected that the seg fault of audio library in Android container is caused by non-existing uid/gid. To verify my suspicion, I’d like to change those uids/gids.
Anyway, I had tested it by adding new users on host side, which revealed that it is not related to uid/guid.

4

@stgraber, would you give me some additional comment for this log?
When I start my Android container, I get this dmesg before Android init process starts. But the container seems to launch successfully displaying Android boot-animation, mouse pointer, etc.

Note. This also happens when I launch ubuntu:16.04 container.

mslee@odroid64:~$ cat /etc/os-release 
NAME="Ubuntu"
VERSION="16.04.6 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.6 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
mslee@odroid64:~$ uname -a 
Linux odroid64 3.14.79+ #12 SMP PREEMPT Tue Jan 14 06:07:01 UTC 2020 aarch64 aarch64 aarch64 GNU/Linux
mslee@odroid64:~$ lxd --version
2.0.11
mslee@odroid64:~$

Here is dmesg.

[ 7373.444656] audit: type=1400 audit(1579141453.612:14): apparmor="STATUS" operation="profile_load" name="lxd-m_</var/lib/lxd>" pid=11872 comm="apparmor_parser"
[ 7373.538433] ip_set: protocol 6
[ 7373.538527] IPVS: Creating netns size=2048 id=5
[ 7373.538545] IPVS: ftp: loaded support on port[0] = 21
[ 7373.543275] lxd[11875]: syscall 279
[ 7373.543290] Code: aa0503e4 aa0603e5 aa0703e6 d4000001 (b13ffc1f) 
[ 7373.543305] CPU: 3 PID: 11875 Comm: lxd Not tainted 3.14.79+ #12
[ 7373.543312] task: ffffffc039f72c80 ti: ffffffc02e054000 task.ti: ffffffc02e054000
[ 7373.543318] PC is at 0x7fb3d7bb44
[ 7373.543322] LR is at 0x7fb3f82534
[ 7373.543326] pc : [<0000007fb3d7bb44>] lr : [<0000007fb3f82534>] pstate: 80000000
[ 7373.543330] sp : 0000007fff474650
[ 7373.543334] x29: 0000007fff474650 x28: 000000000d0a65b8 
[ 7373.543340] x27: 000000000d0a5c60 x26: 0000007fb3ff44c8 
[ 7373.543345] x25: 000000000d08a780 x24: 0000007fff479208 
[ 7373.543352] x23: 000000000d08a6b0 x22: 000000000000000b 
[ 7373.543357] x21: 000000000d0a8570 x20: 0000007fb3ff5000 
[ 7373.543362] x19: 0000007fb3ff5000 x18: 0000000000000a03 
[ 7373.543366] x17: 0000007fb3d7bb20 x16: 0000007fb3ff5cf8 
[ 7373.543371] x15: 0000000000000030 x14: ffffffffffffffff 
[ 7373.543376] x13: 0000000000000028 x12: 0101010101010101 
[ 7373.543381] x11: 7f7f7f7f7f7f7f7f x10: 0000007fff4778c0 
[ 7373.543386] x9 : 0000007fff4778c0 x8 : 0000000000000117 
[ 7373.543393] x7 : 0000000000000000 x6 : 0000000000000000 
[ 7373.543398] x5 : 0000007fff47454c x4 : 0000007fb3853108 
[ 7373.543402] x3 : 0000007fb3853000 x2 : 0000000000000002 
[ 7373.543407] x1 : 0000000000000001 x0 : 0000007fb3fd1ac8 

[ 7373.548725] lxd[11875]: syscall 279
[ 7373.548737] Code: aa0503e4 aa0603e5 aa0703e6 d4000001 (b13ffc1f) 
[ 7373.548744] CPU: 3 PID: 11875 Comm: lxd Not tainted 3.14.79+ #12
[ 7373.548750] task: ffffffc039f72c80 ti: ffffffc02e054000 task.ti: ffffffc02e054000
[ 7373.548755] PC is at 0x7fb3d7bb44
[ 7373.548758] LR is at 0x7fb3f80620
[ 7373.548762] pc : [<0000007fb3d7bb44>] lr : [<0000007fb3f80620>] pstate: 20000000
[ 7373.548766] sp : 0000007fff4746e0
[ 7373.548769] x29: 0000007fff4746e0 x28: 0000007fb3ffb3e8 
[ 7373.548776] x27: 000000000d0a5c60 x26: 0000007fb3ff44c8 
[ 7373.548781] x25: 0000007fb3ff5000 x24: 000000000d0a6600 
[ 7373.548786] x23: 000000000d0a5e80 x22: 000000000d08a6b0 
[ 7373.548790] x21: 000000000d0a99c1 x20: 000000000d0a6570 
[ 7373.548795] x19: 0000007fff475020 x18: 0000000000000a03 
[ 7373.548800] x17: 0000007fb3d7bb20 x16: 0000007fb3ff5cf8 
[ 7373.548805] x15: 0000000000002138 x14: ffff000000000000 
[ 7373.548809] x13: ffffffffffffffff x12: 0000000000000030 
[ 7373.548814] x11: 0101010101010101 x10: 0000007fff473dd0 
[ 7373.548819] x9 : 000000000d0acbf0 x8 : 0000000000000117 
[ 7373.548823] x7 : 0000000000000000 x6 : 0000000000000000 
[ 7373.548828] x5 : 0000000000000000 x4 : 0000007fb3dfa9b0 
[ 7373.548833] x3 : 0000000000000000 x2 : 0000007fb402ecb8 
[ 7373.548837] x1 : 0000000000000001 x0 : 0000007fb3fd13e8