Mounted folder is nobody/unreadable (ArchLinux, unprivileged)

Maniaxx · December 12, 2018, 4:17pm

LXD 3.7, ArchLinux(host+container), unprivileged, dir driver

When i mount a folder into the container its empty and not accessible. The source folder has 1000:1000, mounted folder in rootfs is 100000 (should be rather 101000 i guess) and inside container its nobody(65534). Its not readable by root/guest (100000) -> Permission denied. Any idea what’s wrong here?

$ cat /etc/subuid
root:100000:65536
lxd:100000:65536
$ cat /etc/subgid
root:100000:65536
lxd:100000:65536

$ lxc config device add arch test disk source=/home/user/Downloads path=/home/arch/test

Config:

$ lxc config show arch
architecture: x86_64
config:
  image.architecture: amd64
  image.description: Archlinux current amd64 (20181211_01:27)
  image.os: Archlinux
  image.release: current
  image.serial: "20181211_01:27"
  volatile.base_image: 6b2b5b684ed150667b724c09f9530b7a11eaff879c0ba00a3eb8f22e9b5eabd8
  volatile.eth0.hwaddr: 00:16:3e:xx:xx:xx
  volatile.eth0.name: eth0
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":100000,"Nsid":0,"Maprange":65536}]'
  volatile.last_state.power: STOPPED
devices:
  eth0:
    ipv4.address: 192.168.50.2
    nictype: bridged
    parent: lxdbr0
    type: nic
  test:
    path: /home/arch/test
    source: /home/user/Downloads
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

stgraber · December 13, 2018, 12:07am

That’s the expected behavior here.

You can either do uid hole punching to make uid/gid 1000 be the same inside and outside of the container by setting raw.idmap (note that you’ll also need additional entries in your subuid/subgid config) or you may be able to get away with posix ACLs by effectively allowing access to the directory on the host to the 101000 uid/gid (1000 in the container).

Maniaxx · December 13, 2018, 7:27pm

How is this uid hole punching meant to be done? Do i have to split the uid range or something? I have changed shadow files to this:

root:100000:65536
lxd:100000:65536
user:200000:65536

I tried several raw.idmap combinations but none of them get accepted (not allowed or in host range):

raw.idmap: both 1000 1000
raw.idmap: both 101000 1000
raw.idmap: both 1000 101000
raw.idmap: both 1000 201000
raw.idmap: both 201000 1000
lxc arch 20181213192057.937 ERROR    conf - conf.c:lxc_map_ids:2999 - newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [201000-201001) not allowed": newuidmap 2291 0 100000 1000 1000 201000 1 1001 101001 64535

I’m wondering why this is needed at all. LXD is aware of the host<>container UID shift range already (by shadow entries). It already did initialize/shift the rootfs all by itself properly at container creation.

stgraber · December 13, 2018, 7:29pm

The only entries that matter in subuid/subgid for LXD are the root ones.

You should have something like:

root:100000:65536
root:1000:1

Which will allow the root user to use the uid 1000 from the host for the containers.

If you put that in both the subuid and subgid files, then both 1000 1000 should work.

Maniaxx · December 13, 2018, 7:33pm

Wonderful, works. Thanks!