Newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed"

I’m trying to create a new container and and I’m getting the following errors while trying to run the sudo lxc-start -base-archcommand:

lxc-start base-arch 20210909221523.293 ERROR    conf - conf.c:lxc_map_ids:3471 - newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed": newuidmap 60795 0 100000 1000 1000 1000 1 1001 101001 64535
lxc-start base-arch 20210909221523.293 ERROR    start - start.c:lxc_spawn:1774 - Failed to set up id mapping.
lxc-start base-arch 20210909221523.293 ERROR    lxccontainer - lxccontainer.c:wait_on_daemonized_start:868 - Received container state "ABORTING" instead of "RUNNING"
lxc-start base-arch 20210909221523.293 ERROR    lxc_start - tools/lxc_start.c:main:308 - The container failed to start
lxc-start base-arch 20210909221523.293 ERROR    lxc_start - tools/lxc_start.c:main:311 - To get more details, run the container in foreground mode
lxc-start base-arch 20210909221523.293 ERROR    lxc_start - tools/lxc_start.c:main:313 - Additional information can be obtained by setting the --logfile and --logpriority options
lxc-start base-arch 20210909221523.293 ERROR    start - start.c:__lxc_start:2053 - Failed to spawn container "base-arch"

Host’s user id is 1000 as shown bellow:
uid=1000(host) gid=1000(host) groups=1000(host),998(wheel)
and based on the configuration I’m mapping guest’s 1000 uid to host’s 1000 uid.

# Distribution configuration
lxc.include = /usr/share/lxc/config/common.conf
lxc.include = /usr/share/lxc/config/userns.conf
lxc.arch = x86_64

# Container specific configuration
lxc.idmap = u 0 100000 1000
lxc.idmap = g 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 101001 65536
lxc.idmap = g 1001 101001 65536
lxc.rootfs.path = dir:/var/lib/lxc/base-arch/rootfs
lxc.uts.name = base-arch

# Network configuration
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:f6:37:6e

Also here is the contents of my /etc/sub{u,g}id files

cat /etc/subuid
root:100000:65536
cat /etc/subgid
root:100000:65536

Any ideas on what might be missing?

The error from newuidmap/newgidmap seems quite confusing, but your config is indeed incorrect.

The config you have above will cause:

  • ID 0 through 999 in the container to be mapped to 100000 through 100999
  • ID 1000 to be passed through
  • ID 1001 through 66536 to be mapped to 100001 through 166536

Your user only owns 100000 through 165536 and you are exceeding that with your configuration.

Thanks for your quick reply. Because I’m just new to this whole ideas let me ask you if the third point you wrote is correct.

As I understood so far the u 1001 101001 65536 is translated as:
Map guest’s uids from 1001 until 66537 to host’s uids 101001 until 166537

Is my understanding right or not?

Further more, you are saying that I’m exceeding the uids based on the /etc/subuids file right? If I got it right I’m assigning to the root user the 100000 through 165536 uids but it seems from the configuration file that it needs more. Something like 100000 through 166537.

So you think that if I change the /etc/sub{u,g}id files to contains something like

root:100000:66537

will be fine or you see more errors?

What you need is:

lxc.idmap = u 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = u 1001 101001 64535
lxc.idmap = g 0 100000 1000
lxc.idmap = g 1000 1000 1
lxc.idmap = g 1001 101001 64535

Ok. Thanks on that.

The same error seems to reappear though :confused:

I found online this article too but adding host:1000:1 in the sub{g,u}id files didn’t resolve it.

One more thing I’ve noticed is that if I replace the mapping you posted with the following:

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

the container starts. But I think this is not a complete mapping since it lacks mapping for user account. Something that it is important in my case IMHO because I want to run X11 applications.

Does it make any sense to run sudo strace -o strace.log -ff lxc-start -n base-arch and look inside that the for the error?

EDIT:

So I run the command using strace and from all the files strace output I think this is the one which calls the newuidmap. The thing is that all the execve calls return 0 which seems fine to me.

One thing that isn’t clear to me is what user is running lxc-start, is that your unprivileged user (uid 1000) or root (uid 0)?

I’m using this command:

sudo lxc-start -n base-arch

Ok so yeah both /etc/subuid and /etc/subgid should be:

root:1000:1
root:100000:65536

Yes now it starts but I’m wondering if I should also add the host user in the sub{g,u}id files because when I’m attaching to the container its /tmp/.X11 directory is empty given that I’ve added this to its config file:

lxc.mount.entry = /tmp/.X11-unix tmp/.X11-unix none bind,optional,create=dir,ro

If you think that this is offtopic and/or irrelevant please tell me so to open a new thread.

You’re going to have issues when passing something into /tmp, that’s because the container’s init system will usually wipe /tmp clean at boot time.

I thought that the readonly (ro) argument I passed to the lxc.mount.entry will fix that.