Lxc.idmap in 3.11

BenjaminJon · March 14, 2019, 8:14pm

I’ve installed 3.11 via snap packages on a clean Ubuntu 18.04 installation. I’m migrating my containers over from 3.0.3 because I REALLY want to use the automated snapshot feature

In 3.0.3, I was able to map host uid/gid to container uid/gid per instructions here: https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers

But it’s not working in 3.11. I read in the manpages that lxc.idmap is now being used, but the page I read might be for an earlier release?

So, can anyone tell me how to map uid/gids in 3.11?

stgraber · March 17, 2019, 1:57am

Hmm, raw.idmap should work just fine, though the title here suggests you may have been using raw.lxc combined with lxc.idmap which we really wouldn’t recommend.

Can you show your exact config and if not already done, switch to using raw.idmap for hole punching?

BenjaminJon · March 18, 2019, 7:43pm

After reading your post, I realized that I had misread my notes, so I was gettign at least one error due to a mistake on my part. After realize that, I thought I had the problem solved. Unfortunately not. Here are the steps I took.

First, I tried it the same way I did in 3.0.3:


:~$ printf "uid $(id -u) 1001 gid $(id -g) 1001"  | lxc config set mycontainer raw.idmap -
Error: Failed to get ID map: invalid raw.idmap line uid 1000 1001 gid 1000 1001

Since that didn’t work, I tried using the input format as described in UID Mappings section here:
https://linuxcontainers.org/lxc/manpages/man5/lxc.container.conf.5.html


:~$ printf "u $(id -u) 1001 1"  | lxc config set mycontainer raw.idmap -
Error: Failed to get ID map: invalid raw.idmap line u 1000 1001 1

Since that didn’t work, I tried it like this, still with no luck (notice lxc.idmap instead of raw.idmap):


:~$ printf "u $(id -u) 1001 1"  | lxc config set mycontainer lxc.idmap -
Error: Invalid config: Unknown configuration key: lxc.idmap

Then I remembered that in 3.0.3, I created a new profile and set the config for that profile, then assigned it to the container. So I tried it that way with no luck.


lxc profile copy default NewProfile
:~$ printf "uid $(id -u) 1001 gid $(id -g) 1001"  | lxc profile set NewProfile raw.idmap -
:~$ lxc profile assign mycontainer NewProfile
Error: Failed to get ID map: invalid raw.idmap line uid 1000 1001 gid 1000 1001

I tried it again with the other format, still no luck:


:~$ lxc profile assign nextcloudserver NewProfile
Error: Failed to get ID map: invalid raw.idmap line u 1000 1001 1

Here is the config for the container in question:


:~$ lxc config show nextcloudserver
architecture: x86_64
config:
  image.architecture: x86_64
  image.description: Ubuntu 18.04 LTS server (20181206)
  image.os: ubuntu
  image.release: bionic
  volatile.base_image: 2996b81c600423fc1a71e821ad64f027c62a389756a76d42b4e44399b0c74ffa
  volatile.eth0.hwaddr: 00:16:3e:10:07:50
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: STOPPED
devices:
  bensdocuments:
    path: /mnt/bensdocuments
    source: /mnt/FreeNAS/MediaStoragePool/Documents/
    type: disk
  debsfiles:
    path: /mnt/debsdocuments
    source: /mnt/FreeNAS/MediaStoragePool/DebsDocs/
    type: disk
  pictures:
    path: /mnt/FreeNasPictures
    source: /mnt/FreeNAS/MediaStoragePool/Pictures/
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

stgraber · March 18, 2019, 8:08pm

printf "uid $(id -u) 1001\ngid $(id -g) 1001"  | lxc config set mycontainer raw.idmap -

BenjaminJon · March 18, 2019, 8:08pm

I was just looking things over and figured out the issue. It was my fault.

This is the incorrect command that I’ve been using:


:~$ printf "uid $(id -u) 1001 gid $(id -g) 1001"  | lxc profile set NewProfile raw.idmap -

This is the correct command that I needed to have been using:


:~$ printf "uid $(id -u) 1001\ngid $(id -g) 1001"  | lxc profile set NewProfile raw.idmap -

Notice that the second command has a \n in the middle. Apparently when I copied the command from my motes, the \n was removed due to the fact that my notes application interpreted the \n.

Thanks for looking at it, sorry for the noise!