Newuimap error when create or detroy container

arnsk · April 28, 2024, 1:13pm

I’m new on lxc. I follow documentation for create unprivileged container, but I have multple error when I create or destroy.
I don’t understand this concept of mapping and uid.

When I create, I have this :

$ lxc-create -n $USER-alpine -t download -- -d alpine -r 3.19 -a amd64
lxc 20240428123120.584 ERROR    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:245 - newuidmap failed to write mapping "newuidmap: write to uid_map failed: Invalid argument": newuidmap 11529 0 100000 65536 0 100000 65536 65536 1000 1
Failed to write id mapping for child process
lxc 20240428123120.584 ERROR    utils - ../src/lxc/utils.c:lxc_drop_groups:1570 - Operation not permitted - Failed to drop supplimentary groups
lxc 20240428123120.584 ERROR    utils - ../src/lxc/utils.c:lxc_switch_uid_gid:1545 - Invalid argument - Failed to switch to gid 0
lxc-create: arnaud-alpine: ../src/lxc/lxccontainer.c: create_run_template: 1589 Failed to create container from template
lxc-create: arnaud-alpine: ../src/lxc/idmap_utils.c: lxc_map_ids: 245 newuidmap failed to write mapping "newuidmap: write to uid_map failed: Invalid argument": newuidmap 11531 0 100000 65536 0 100000 65536 65536 1000 1
lxc-create: arnaud-alpine: ../src/lxc/conf.c: userns_exec_full: 4812 error setting up {g,u}id mappings for child process "11531"
lxc-create: arnaud-alpine: ../src/lxc/lxccontainer.c: container_destroy: 2956 Error destroying rootfs for arnaud-alpine
lxc-create: arnaud-alpine: ../src/lxc/tools/lxc_create.c: lxc_create_main: 318 Failed to create container arnaud-alpine

But after, I have container :

$ lxc-ls -f                   
NAME          STATE   AUTOSTART GROUPS IPV4 IPV6 UNPRIVILEGED 
arnaud-alpine STOPPED 0         -      -    -    true         
mycontainer   STOPPED 0         -      -    -    true

And if I want to destroy :

$ lxc-destroy -n mycontainer 
lxc-destroy: mycontainer: ../src/lxc/idmap_utils.c: lxc_map_ids: 245 newuidmap failed to write mapping "newuidmap: write to uid_map failed: Invalid argument": newuidmap 13086 0 100000 65536 0 100000 65536 65536 1000 1
lxc-destroy: mycontainer: ../src/lxc/conf.c: userns_exec_full: 4812 error setting up {g,u}id mappings for child process "13086"
lxc-destroy: mycontainer: ../src/lxc/lxccontainer.c: container_destroy: 2956 Error destroying rootfs for mycontainer
lxc-destroy: mycontainer: ../src/lxc/tools/lxc_destroy.c: do_destroy: 110 Destroying mycontainer failed

In default.conf :

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

In /etc/sub{u,g}id files :

sudo cat /etc/subuid
arnaud:100000:65536
root:100000:65536

sudo cat /etc/subgid
arnaud:100000:65536
root:100000:65536

Anyone can help me ?

stgraber · April 28, 2024, 8:52pm

For operations on an existing container, the content of /etc/lxc/default.conf doesn’t matter, what matters is /var/lib/lxc/mycontainer/config

arnsk · April 29, 2024, 1:53pm

But the documentation does not say to modify this file so that a non-root user can manipulate containers. Is the documentation up to date?

stgraber · April 29, 2024, 2:48pm

Oops, the mention was mostly because of destroy failing where it could have explained a difference in behavior between create working and destroy failing, but since create also fails, that’s something else.

The error appears to be Failed to drop supplimentary groups rather than an issue with the maps themselves.

Can you show the result of id for your user?

arnsk · April 29, 2024, 5:55pm

id command return :

$ id
uid=1000(arnaud) gid=1000(arnaud) groupes=1000(arnaud),963(libvirt),992(kvm),998(wheel)

I precise, I run command with my username and I have install lxc on ArchLinux :

$ neofetch
                   -`                    arnaud@helios-d 
                  .o+`                   --------------- 
                 `ooo/                   OS: Arch Linux x86_64 
                `+oooo:                  Host: G5 KF5 
               `+oooooo:                 Kernel: 6.8.7-arch1-2 
               -+oooooo+:                Uptime: 7 mins 
             `/:-:++oooo+:               Packages: 924 (pacman), 42 (flatpak) 
            `/++++/+++++++:              Shell: zsh 5.9 
           `/++++++++++++++:             Resolution: 1920x1080 
          `/+++ooooooooooooo/`           DE: GNOME 46.1 
         ./ooosssso++osssssso+`          WM: Mutter 
        .oossssso-````/ossssss+`         WM Theme: Adwaita 
       -osssssso.      :ssssssso.        Theme: Adwaita [GTK2/3] 
      :osssssss/        osssso+++.       Icons: Adwaita [GTK2/3] 
     /ossssssss/        +ssssooo/-       Terminal: kgx 
   `/ossssso+/:-        -:/+osssso+-     CPU: 13th Gen Intel i7-13620H (16) @ 4.700GHz 
  `+sso+:-`                 `.-/+oso:    GPU: Intel Raptor Lake-P [UHD Graphics] 
 `++:.                           `-/+/   GPU: NVIDIA GeForce RTX 4060 Max-Q / Mobile 
 .`                                 `/   Memory: 2483MiB / 39820MiB

stgraber · April 29, 2024, 8:36pm

@amikhalitsyn any idea what could cause the failure to drop supplementary groups here?

arnsk · May 4, 2024, 3:16pm

Hello,

I come back for news. Can you help me ?

Cram28 · May 4, 2024, 5:09pm

Good morning,

This is a unprivileged container that you are trying to create (a priori yes, prompt console in $, and not #)?
In this case yours idmaps are well defined in /home/$USER/.config/lxc/default.conf and not in /etc/lxc/default.conf ?

@+
(I only speak French: sorry in advance for the bad translations…)

amikhalitsyn · May 6, 2024, 11:11am

I guess it’s because GID mapping wasn’t set properly. Kernel forbids setgroup syscall if GID mapping is empty (linux/kernel/user_namespace.c at dd5a440a31fae6e459c0d6271dddd62825505361 · torvalds/linux · GitHub).

amikhalitsyn · May 6, 2024, 11:21am

@arnsk as I can see from the logs:

lxc 20240428123120.584 ERROR    idmap_utils - ../src/lxc/idmap_utils.c:lxc_map_ids:245 - newuidmap failed to write mapping "newuidmap: write to uid_map failed: Invalid argument": newuidmap 11529 0 100000 65536 0 100000 65536 65536 1000 1

for some reason, you have the same UID mapping specified twice.
See:
newuidmap 11529 0 100000 65536 0 100000 65536 65536 1000 1
means that you want to set the following UID maps for the process with PID=11529:

- 0 100000 65536
- 0 100000 65536 (oops! again!)
- 65536 1000 1

I would suggest to check all LXC configuration files and see if you (probably) have duplicate entries like lxc.idmap = u 0 100000 65536 a few times. If so, just remove the duplicates and it should work.

Also, I don’t understand why do you have 65536 1000 1 mapping. Where it comes from?

arnsk · May 7, 2024, 8:46am

I just followed the doc. I modified /etc/sub{u,g}id files and /etc/lxc/default.conf for root.
Then copy the default.conf file and add the user uid and gid. (the range is the same as root).
Then it talks about Ubuntu, but since I’m with Arch I also consulted the Arch doc, which doesn’t modify the official LXC doc.

On the other hand, I hadn’t seen that the command to create a container was different between root and a user.
The first time I just did a lxc-create with my user account, whereas I see that you have to use system-run before lxc-create.
Sorry, I misread. On the other hand, since this has created containers that neither root nor my user can delete, I don’t see how to remove them.

amikhalitsyn · May 7, 2024, 8:56am

I can’t see any problem with /etc/sub{u,g}id files in your case.

As I said before, the problem might be that you have an excessive (duplicate) lxc.idmap = u ... lines in your configuration. Please, show ~/.config/lxc/default.conf contents and also /var/lib/lxc/mycontainer/config, /var/lib/lxc/arnaud-alpine/config.

Then copy the default.conf file and add the user uid and gid. (the range is the same as root).

I’m sorry, I don’t understand this. Have you copied /etc/lxc/default.conf file manually? Where have you placed a copy (which path)?

xarufagem · May 7, 2024, 1:05pm

@arnsk if i read you correctly, it appears that you’re following some guidelines in configuring lxc, could you point us to this… maybe it would be easyer to deal

if you could post the output of :

cat ~/.config/lxc/default.conf
cat /var/lib/lxc/arnaud-alpine/config

It could help identify the problem

Are there any errors related to LXC or LXD.DAEMON in your syslog ?
cat /var/log/syslog | grep “lxc” | grep “error”
cat /var/log/syslog | grep “lxd” | grep “error”

Sometimes errors messages are helpfull

/joen

arnsk · May 14, 2024, 5:15am

I followed the documentation correctly, but I made a mistake in the container creation command line.
I used
lxc-create --name mycontainer --template download
instead of
systemd-run --unit=my-unit --user --scope -p "Delegate=yes" -- lxc-create --name mycontainer --template download

What created the errors in my first post. And as I said, I now have two containers that I can’t delete with my user account, and the root account doesn’t see them.

This is my default.conf :

cat .config/lxc/default.conf
lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

I don’t have /var/log/syslog file. They is a file /var/log/lxc/lxc.log but it’s empty.