Incus: No uid/gid allocation configured

vrms · February 10, 2024, 8:45pm

I have trouble with getting incus going on a quite fresh archlinux host

[manolo@arch-laptop ~]$ incus launch images:voidlinux hello-world
Launching hello-world
Error: Failed instance creation: Failed creating instance record: Failed initialising instance: Invalid config: No uid/gid allocation configured. In this mode, only privileged containers are supported

There is a running podman installation, which might matter as it also uses /etc/subuid & /etc/subgid.

My files currently look like this:

[manolo@arch-laptop ~]$ cat /etc/subuid
manolo:100000:65536
incus:1000000:65536

[manolo@arch-laptop ~]$ cat /etc/subgid
manolo:100000:65536
incus:1000000:65536

any idea what is going wrong here?

a side question … should not installing incus via packagemanager provide a valid config for this?

stgraber · February 10, 2024, 9:08pm

incus consumes uid/gid map allocations for the root user.

A normal setup is:

root:1000000:1000000000

In both uidmap and gidmap. That is the setup that we’d normally expect most distros to put in place for you at installation time.

vrms · February 11, 2024, 4:39pm

thx

root:1000000:1000000000 lines in /etc/subuid & /etc.subgid however have the same result unfortunately

No uid/gid allocation configured. In this mode, only privileged containers are supported

incus launch images:voidlinux hello-world -c security.privileged=true however works, but as I understand the matter it is encouraged to run unprivileged containers (which is what I did on an older lxd installation without any hassle)

On another lxd instance I have this as a working setup

<username>:100000:65536. But here it does not do anything neither

stgraber · February 11, 2024, 7:46pm

Did you restart incus after updating your subuid and subgid files?

vrms · February 12, 2024, 7:27am

What I am doing is

Install Incus package
add personal user to incus & incus-admin groups
sudo systemctl enable --now incus.socket incus.service
add entries to /etc/sub{uid,gid}
sudo systemctl restart incus.socket incus.service
incus launch images:voidlinux hello-world

anything wrong with that sequence maybe?

stgraber · February 12, 2024, 4:54pm

Can you add --verbose to INCUS_OPTS in /etc/default/incus and then sudo systemctl restart incus?

After that, please post the content of /var/log/incus/incusd.log

vrms · February 13, 2024, 8:37pm

there is no /etc/default/incus. So I guess I need to create is but … whoe exactly to I

add --verbose to INCUS_OPTS

on such a blank file exactly?

stgraber · February 13, 2024, 10:03pm

Hmm, what Linux distribution is this on?

stgraber · February 13, 2024, 10:05pm

Also, can you show:

cat /etc/subuid
cat /etc/subgid
uname -a
which newuidmap
which newgidmap

istankovic · February 14, 2024, 8:43pm

stgraber:

incus consumes uid/gid map allocations for the root user.

A normal setup is:
root:1000000:1000000000
In both uidmap and gidmap. That is the setup that we’d normally expect most distros to put in place for you at installation time.

Can confirm that this is not the case on Archlinux, I ran into the same issue.

Could you please elaborate on why incus is always reading the mapping for root, instead of the one for the user trying to create a container?

stgraber · February 14, 2024, 8:44pm

Because incus runs as root.

istankovic · February 14, 2024, 8:56pm

Would it be possible to allow non-root users to launch containers?

After adding the required mapping for root, as described above, and restarting the daemon, it now works.

stgraber · February 14, 2024, 9:07pm

It’s possible for non-root users to talk to Incus and control it, either fully (members of the incus-admin group) or in a restricted fashion (members of the incus group).

But Incus itself will always run as root as it needs to perform a bunch of privileged actions like generating security profiles, handling filesystem operations, preparing network, …

So at the end of the day, only the allocation for the root user matters to what Incus does.

istankovic · February 14, 2024, 9:33pm

Right, but that is still effectively root, which is… eh.

I was mainly wondering about it since I’m coming from podman and am used to not needing root. I assume incus uses certain operations that require root, and I’m curious as to what those are. I know that one can have unprivileged user namespaces, but apart from that I know very little of how incus (or, rather, LXC) works internally. I guess my question would be better phrased as, in what ways does incus differ from podman in order to require root privileges?

stgraber · February 14, 2024, 9:40pm

The only thing you can do as an unprivileged user is get a user namespace which maps your own single uid and gid to any uid/gid that you want.

Anything else requires privileges, either in obvious ways by running the logic directly as root, or indirectly through setuid/setcap helpers.

Anything that needs to put mounts in place (and doesn’t rely solely on FUSE) needs root privileges, so in our case, that means interacting with ZFS, LVM, btrfs, Ceph, …
The same goes on the network side, only root can create network interfaces on the host system, so all our network stuff requires root (create and run bridges, create veth pairs to attach to the containers, create tap devices for VMs, apply tc/iptables/nft rules, …).

Then the same is true for the security stuff, we need root to generate AppArmor namespaces, generate custom per-instance apparmor policies and load them into the kernel, …

It’s certainly possible to split out every bit of privileged logic into their own setuid/setcap binaries to give the illusion of everything actually being done by the unprivileged user, but it’s basically just that, an illusion

There are ways to do the filesystem stuff without privileges, but that involves FUSE and so gets rather slow. Similarly, it’s possible to do a bunch of network stuff in userspace by using a tun device inside the container and connecting that to a userspace relay daemon, but again, that’s going to be very slow.

Getting more than one uid/gid isn’t possible without extra privileges (such as using newuidmap/newgidmap), at least until we complete our work on implementing isolated user namespaces (see https://www.youtube.com/watch?v=mOLzSzpVwHU)

istankovic · February 14, 2024, 10:07pm

Thank you for the helpful answer and the link to the FOSDEM video. (Actually, I ran into this issue right after watching the video of your FOSDEM talk – very nice talk and the demo, by the way! trying out incus has been on my list for a while, but I was waiting for the arch package).

It’s quite interesting watching how the namespace subsystem(s) and related infrastructure evolve.

gwenya · February 16, 2025, 1:15pm

Sorry to heat up this old topic again, but I’m getting this exact error and this is the only place where it seems to be discussed.
However, I am getting this when trying to create VMs, which from what I understand should not require any uid/gid mapping. I intend to only use incus for VMs and not containers and I would prefer to avoid adding the uid/gid mapping. Is that possible or is it also required for VMs?

stgraber · February 17, 2025, 2:26am

VMs don’t hit that particular code path, what are you running and what error are you getting exactly?

gwenya · February 17, 2025, 9:02am

Here’s what I did:

$ incus launch images:ubuntu/24.04 ubuntu-vm --vm
Launching ubuntu-vm
Error: Failed instance creation: Failed creating instance record: Failed initializing instance: Invalid config: No uid/gid allocation configured. In this mode, only privileged containers are supported

If I add the entries for root in /etc/subuid and /etc/subgid then it works, and if I remove them again it stops working with the same error.

stgraber · February 17, 2025, 3:00pm

Interesting. Can you show incus project list?