Lxd-to-incus: Newuidmap: uid range [1003-1004) -> [1021-1022) not allowed

shpokas · July 4, 2024, 9:49am

Hi,
I migrated from lxd to incus and now I’ve got problems starting containers.
There are many similar threads, yet I am failing to understand what exactly is the problem here.

I mount a folder from host system user home directory into container.
Container configuration has:

  raw.idmap: |-
    uid 1021 1003
    gid 998 1003

Entries for that user in /etc/sub?id are

# grep "profi:" /etc/sub?id
/etc/subgid:profi:1541792:65536
/etc/subuid:profi:1541792:65536

user id on host is

# id profi
uid=1021(profi) gid=998(sshproxy) groups=998(sshproxy)

user id in container is

# id profi
uid=1003(profi) gid=1003(profi) groups=1003(profi),27(sudo)

If I remove mapping from container configuration, then it is up and running, but I cannot write in mounted folder.

Thanks for any hint.

stgraber · July 4, 2024, 3:41pm

Please show the full /etc/subuid and /etc/subgid.

Incus only cares about the allocations to the root user, not to your individual user.
To make the above work you should have a root:1021:1 entry in /etc/subuid and a root:998:1 entry in /etc/subgid to allow what you need.

shpokas · July 4, 2024, 4:30pm

Indeed that helped. Thank you very much!
One last question - why did it work for lxd?
Is there a new security configuration?

Kind regards,

stgraber · July 4, 2024, 4:48pm

LXD completely ignores the system /etc/subuid and /etc/subgid files and assumes it can do whatever it wants on the system. Incus is a bit more respectful in that regard