Newuidmap failed to write mapping "newuidmap: uid range [33-33) -> [1000-1000) not allowed"

LXC
1

Hi,

I try to share a folder from my host to my container, but the container always fails to create.
The folder belong to the user “chuugar” : uid = 1000, gid = 1000, I wish to map it to the user www-data (33:33) inside the container.
It’s a unprivileged container named “nextcloud”, I try to create and start it by the user “chuugar”.

/home/chuugar/.local/share/lxc/nextcloud/config :

lxc.include = /etc/lxc/default.conf

lxc.idmap = u 0 100000 1000
lxc.idmap = g 0 100000 1000
lxc.idmap = u 33 1000 0
lxc.idmap = g 33 1000 0

lxc.apparmor.allow_nesting = 1
lxc.apparmor.profile = lxc-container-default-cgns

lxc.net.0.type = empty

lxc.mount.entry = /home/chuugar/bin/git/nextcloud www/nextcloud none rw,bind,create=dir 0.0

/etc/subuid and /etc/subgid have the same content :

chuugar:100000:1000
chuugar:33:1

I tried to create the “nextcloud” with following command : lxc-create -n nextcloud -t download -- -d debian -r buster -a amd64. But it always failed with the following message :

lxc 20190709134418.965 ERROR    conf - conf.c:lxc_map_ids:3023 - newuidmap failed to write mapping "newuidmap: uid range [33-33) -> [1000-1000) not allowed": newuidmap 25676 0 100000 1000 33 1000 0 1000 1000 1
Failed to write id mapping for child process
lxc 20190709134418.965 ERROR    utils - utils.c:lxc_switch_uid_gid:1375 - Invalid argument - Failed to switch to gid 0
lxc-create: nextcloud: lxccontainer.c: create_run_template: 1617 Failed to create container from template
lxc-create: nextcloud: conf.c: lxc_map_ids: 3023 newuidmap failed to write mapping "newuidmap: uid range [33-33) -> [1000-1000) not allowed": newuidmap 25679 0 100000 1000 33 1000 0 1000 1000 1
lxc-create: nextcloud: conf.c: userns_exec_full: 4568 error setting up {g,u}id mappings for child process "25679"
lxc-create: nextcloud: lxccontainer.c: container_destroy: 2974 Error destroying rootfs for nextcloud
lxc-create: nextcloud: tools/lxc_create.c: main: 327 Failed to create container nextcloud

The host is a fresh Debian Buster : lxc 3.1.
Can anyone help me ? Thanks.

2

I am not too familiar with plain LXC.
Having said that, I think the commands that you wrote above are trying to map 33:33 from the host to 1000:1000 in the container.
I think it should be the other way round.

3

I tried with both, but it end with the same kind of error :

I get

newuidmap: uid range [1000-1000) → [33-33) not allowed

with :

 lxc.idmap = u 1000 33 0
 lxc.idmap = g 1000 33 0

And I get

newuidmap: uid range [33-33) → [1000-1000) not allowed

with :

 lxc.idmap = u 33 1000 0
 lxc.idmap = g 33 1000 0

So I guess I have to fix /etc/subuid and /etc/subgid, but I didn’t find what could be wrong in those files.

Since they follow this syntax : "login name":"numerical subordinate user ID":"numerical subordinate user ID count" ; chuugar:33:1 should have done the trick.

4

I tried something else :

Within /etc/sub{u,g}id :

chuugar:33
chuugar:10000:65536

Within /home/chuugar/.local/share/lxc/nextcloud/config :

lxc.idmap = u 0 100000 33
lxc.idmap = g 0 100000 33
lxc.idmap = u 33 1000 1
lxc.idmap = g 33 1000 1

Now the container can start, and the folder I wish to share belong to chuugar:chuugar (1000:1000) on the host and www-data:www-data (33:33) within the container, as expected.

BUT, as is, lxc loses the ability to map from 34 to 65535 inside the container.
So I edit nextcloud/config like this :

lxc.idmap = u 0 100000 33
lxc.idmap = g 0 100000 33
lxc.idmap = u 33 1000 1
lxc.idmap = g 33 1000 1
lxc.idmap = u 0 100034 65535
lxc.idmap = g 0 100034 65545

But it failed with the following error : "newuidmap: uid range [0-65535) -> [100034-165569) not allowed"

So, how can I map from 0 to 65536 except the 33 value ?
Thanks

5

The issue was in nextcloud/config, I fix it with :

lxc.idmap = u 0 100000 33
lxc.idmap = g 0 100000 33
lxc.idmap = u 33 1000 1
lxc.idmap = g 33 1000 1
lxc.idmap = u 34 100034 65502
lxc.idmap = g 34 100034 65502

For the record, my final /etc/sub{u,g}id is :

chuugar:100000:65536
1 Like