Nobody:nogroup ownership in unprivileged container

Arnaud_F · August 19, 2021, 10:07am

Dear,

First of all, thanks for your help. First containers launched and I managed to mount a /var/lib/docker using btrfs while whole system use zfs → My building time in docker dropped from 30 minutes to 1 to build same package

Now another problem is about mounting a classical disk in both privileged and unprivileged container this time.

On host I created lxd group by hand (missing)
Host:

root@server:~# egrep '(root|lxd)' /etc/subuid
root:100000:65536
lxd:100000:65536
develop:1017504:65536
root@server:~# egrep '(root|lxd)' /etc/subgid
root:100000:65536
lxd:100000:65536
develop:1017504:65536

Note : I had to add lxd in this file using VI. I do not know if it is the good way

Here is my disc that I want to mount:

root@server:~# ls -l /disks
drwxr-xr-x 19 develop  develop   4096 Aug 18 01:15 www

Shiftfs in proc/mount returns nothing in both containers.

Config of privileged container:

root@server:~# lxc config show --expanded c0 | egrep "(priv|idmap)"
  security.privileged: "true"
  volatile.idmap.base: "0"
  volatile.idmap.current: '[]'
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'

And listing my disk gives me 1000:

root@server:~# lxc exec c0 -- ls -l /disks
-rwxrwx---  1 1000 1000  332 Jun 25  2020 README

Config of my unprivileged container :

root@server:~# lxc config show --expanded c1 | egrep "(priv|idmap)"
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'

And listing my disk gives me :

root@server:~# lxc exec c1 -- ls -l /disks
-rwxrwx---  1 nobody nogroup  332 Jun 25  2020 README

Aside note : I didn’t create develop user in containers right now. I tried giving root:root in a specific file within the disk and showed the right, same thing.

Any help would be welcome.

tomp · August 19, 2021, 3:31pm

How did you add the disk to the instance?

Please can you show your full output of lxc config show <instance> --expanded?

Also, what OS and version are you running on the host?

Thanks

Arnaud_F · August 19, 2021, 4:03pm

How did you add the disk to the instance

Nothing big lxc config device add c0 disks disk source=/disks/www path=/disks

Please can you show your full output of lxc config show --expanded?

Sure.

c0 (privileged)

config:
  image.architecture: amd64
  image.description: Debian buster amd64 (20210817_05:24)
  image.os: Debian
  image.release: buster
  image.serial: "20210817_05:24"
  image.type: squashfs
  image.variant: default
  security.nesting: "true"
  security.privileged: "true"
  volatile.base_image: 576fb563ea143ea03bffa97c40ccaaa13ca93c71d1be3135260aa1d6e258eddf
  volatile.eth0.host_name: veth9dedccb4
  volatile.eth0.hwaddr: 00:16:3e:2a:01:32
  volatile.idmap.base: "0"
  volatile.idmap.current: '[]'
  volatile.idmap.next: '[]'
  volatile.last_state.idmap: '[]'
  volatile.last_state.power: RUNNING
  volatile.uuid: eecc266c-8e3a-4c58-a854-928a4de2d907
  volatile.vmbr2.host_name: vethfee0440d
  volatile.vmbr2.hwaddr: 00:16:3e:99:f7:65
  volatile.vmbr2.name: eth1
devices:
  disks:
    path: /disks
    source: /disks/www
    type: disk
  eth0:
    ipv4.address: 192.168.2.99
    name: eth0
    nictype: bridged
    parent: vmbr2
    type: nic
  root:
    path: /
    pool: default
    type: disk
  vmbr2:
    nictype: bridged
    parent: vmbr2
    type: nic
ephemeral: false
profiles:
- default
stateful: false
description: ""

For C1 (unprivileged)

architecture: x86_64
config:
  image.architecture: amd64
  image.description: Debian buster amd64 (20210819_05:24)
  image.os: Debian
  image.release: buster
  image.serial: "20210819_05:24"
  image.type: squashfs
  image.variant: default
  volatile.base_image: fd7f927eccfe270452727e1c9bc145de7565cb84a8935806293ed42e8b0a8d34
  volatile.idmap.base: "0"
  volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"I
sgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgi
d":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false
,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
  volatile.last_state.power: RUNNING
  volatile.uuid: 87cf019e-a4fb-4cd0-8a08-9a8fe63c74e9
  volatile.vmbr0.host_name: vetha14c2ac7
  volatile.vmbr0.hwaddr: 00:16:3e:b9:28:81
  volatile.vmbr2.host_name: vethc0d0a72d
  volatile.vmbr2.hwaddr: 00:16:3e:bc:ec:31
  volatile.vmbr3.host_name: vethcd4a13a8
  volatile.vmbr3.hwaddr: 00:16:3e:4d:e5:b8
devices:
  disks:
    path: /disks
    source: /disks/www
    type: disk
  root:
    path: /
    pool: default
    type: disk
  vmbr0:
    ipv4.address: 10.x.x.x
    name: vmbr0
    nictype: bridged
    parent: vmbr0
    type: nic
  vmbr2:
    ipv4.address: 192.168.2.110
    name: vmbr2
    nictype: bridged
    parent: vmbr2
    type: nic
  vmbr3:
    ipv4.address: 192.168.3.110
    name: vmbr3
    nictype: bridged
    parent: vmbr3
    type: nic
ephemeral: false
profiles:
- default
stateful: false
description: ""

tomp · August 19, 2021, 4:09pm

You didn’t answer my question about host OS, but assuming it supports shiftfs, you can do:

lxc config device set c0 disks shift=true

See Instances | LXD

Arnaud_F · August 19, 2021, 4:18pm

Sorry for the miss.

root@server:~# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster
root@server:~# lxc config device set c0 disks shift=true
Error: Failed to start device "disks": Required idmapping abilities not available
root@server:~# lxc config device set c1 disks shift=true
Error: Failed to start device "disks": Required idmapping abilities not available

Seems not good, however

root@server:~# modinfo shiftfs 
filename:       /lib/modules/5.4.114-1-pve/kernel/fs/shiftfs.ko
license:        GPL v2
description:    id shifting filesystem
author:         Christian Brauner <christian.brauner@ubuntu.com>
author:         Seth Forshee <seth.forshee@canonical.com>
author:         James Bottomley
alias:          fs-shiftfs
srcversion:     225AF9C817280FFD72CB9A8
depends:        
retpoline:      Y
intree:         Y
name:           shiftfs
vermagic:       5.4.114-1-pve SMP mod_unload modversions

tomp · August 19, 2021, 4:27pm

Is it loaded? lsmod | grep shiftfs?

Arnaud_F · August 19, 2021, 4:31pm

I followed this link : Trying out `shiftfs`

Now /disks is 1000:1000 (seems to be it hasn’t remapped when I unset privileges).

Yes it is :

root@server:~# lsmod | grep shiftfs
shiftfs                28672  2

tomp · August 19, 2021, 4:38pm

So thats working now right? Because the uid is 1000:1000?

Arnaud_F · August 19, 2021, 5:04pm

YES !

Missing part that I hadn’t created the user in container. So I added it by giving 1000 as uid.

Works now.
Thanks a lot !