I’m trying to create a new container and and I’m getting the following errors while trying to run the sudo lxc-start -base-archcommand:
lxc-start base-arch 20210909221523.293 ERROR conf - conf.c:lxc_map_ids:3471 - newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed": newuidmap 60795 0 100000 1000 1000 1000 1 1001 101001 64535
lxc-start base-arch 20210909221523.293 ERROR start - start.c:lxc_spawn:1774 - Failed to set up id mapping.
lxc-start base-arch 20210909221523.293 ERROR lxccontainer - lxccontainer.c:wait_on_daemonized_start:868 - Received container state "ABORTING" instead of "RUNNING"
lxc-start base-arch 20210909221523.293 ERROR lxc_start - tools/lxc_start.c:main:308 - The container failed to start
lxc-start base-arch 20210909221523.293 ERROR lxc_start - tools/lxc_start.c:main:311 - To get more details, run the container in foreground mode
lxc-start base-arch 20210909221523.293 ERROR lxc_start - tools/lxc_start.c:main:313 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start base-arch 20210909221523.293 ERROR start - start.c:__lxc_start:2053 - Failed to spawn container "base-arch"
Host’s user id is 1000 as shown bellow: uid=1000(host) gid=1000(host) groups=1000(host),998(wheel)
and based on the configuration I’m mapping guest’s 1000 uid to host’s 1000 uid.
# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.include = /usr/share/lxc/config/userns.conf
lxc.arch = x86_64
# Container specific configuration
lxc.idmap = u 0 100000 1000
lxc.idmap = g 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 101001 65536
lxc.idmap = g 1001 101001 65536
lxc.rootfs.path = dir:/var/lib/lxc/base-arch/rootfs
lxc.uts.name = base-arch
# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:f6:37:6e
Also here is the contents of my /etc/sub{u,g}id files
Thanks for your quick reply. Because I’m just new to this whole ideas let me ask you if the third point you wrote is correct.
As I understood so far the u 1001 101001 65536 is translated as:
Map guest’s uids from 1001 until 66537 to host’s uids 101001 until 166537
Is my understanding right or not?
Further more, you are saying that I’m exceeding the uids based on the /etc/subuids file right? If I got it right I’m assigning to the root user the 100000 through 165536 uids but it seems from the configuration file that it needs more. Something like 100000 through 166537.
So you think that if I change the /etc/sub{u,g}id files to contains something like
I found online this article too but adding host:1000:1 in the sub{g,u}id files didn’t resolve it.
One more thing I’ve noticed is that if I replace the mapping you posted with the following:
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536
the container starts. But I think this is not a complete mapping since it lacks mapping for user account. Something that it is important in my case IMHO because I want to run X11 applications.
Does it make any sense to run sudo strace -o strace.log -ff lxc-start -n base-arch and look inside that the for the error?
EDIT:
So I run the command using strace and from all the files strace output I think this is the one which calls the newuidmap. The thing is that all the execve calls return 0 which seems fine to me.
Yes now it starts but I’m wondering if I should also add the host user in the sub{g,u}id files because when I’m attaching to the container its /tmp/.X11 directory is empty given that I’ve added this to its config file:
I’m sorry, but I’m a little confused. I have a much simpler case. I’ve mounted a remote server’s NFS on the host. The files are (properly) owned by 297536:
root@pve:/volume1/Videos# ls -ld movies
drwxrwxrwx 1 297536 297536 326842 Jan 2 13:28 movies
When I fire up the unprivileged container, they’ve been mapped to “nobody” as expected:
root@plex:/volume1# ls -ld Videos
drwx------ 1 nobody nogroup 158 Jan 11 00:11 Videos
I want to map this user inside the container from UID 999/GID 990 into 297596/297596 on the host so they can access these files.
I tried adding this:
lxc.idmap = u 996 297596 1
lxc.idmap = g 990 297596 1
into /etc/lxc/101.conf (my container configuration) but then the container fails to start:
lxc_map_ids: 245 newuidmap failed to write mapping "newuidmap: uid range [999-1000) -> [297536-297537) not allowed": newuidmap 288559 999 297536 1
lxc_spawn: 1808 Failed to set up id mapping.
__lxc_start: 2127 Failed to spawn container "101"
TASK ERROR: startup for container '101' failed
This leads me to think I need to include something in the host’s /etc/subuid and /etc/subgid files, but I am confused as heck about the format. How do I tell lxc that it’s OK to do the mapping so I don’t get the error? What’s the right answer for a single port? Right now. 297596 is not in /etc/{passwd,group} on the host. but I could put it in if necessary.
I think it should be:
297596:297596:1
for each of these, but I’m then getting:
lxc_map_ids: 245 newuidmap failed to write mapping "newuidmap: uid range [999-1000) -> [297596-297597) not allowed": newuidmap 292781 999 297596 1
lxc_spawn: 1808 Failed to set up id mapping.
__lxc_start: 2127 Failed to spawn container "101"
I’m not sure what 292781 is… pid?
Is there something I should be doing (kill -HUP’ing something) after editing the subuid/subgid files?
