Problem mounting directory between host and unprivileged container (idmapping)

Arlyss · February 27, 2018, 11:49am

Hello guys !

I’m a developper, in charge of our dedicated server (and enjoying it), but i’m encountering my limits on LXC/D containers…
I’ve read many tutorials and explainations about the theory and i’m stay stucked with my problem.

Context
Dedicated Ubuntu 16.04 LTS, with LibLxcl version 2.0.8.

Problem
I’m trying to create a shared folder between the Host and the container. The mounted folder works well, but the resulting directory (and subs, and files) inside the container are owned by
“nobody:nogroup” (65534:65534).

My host subuid/subgid:

lxd:100000:65536
root:100000:65536

My user profile:

name: root
config:
  raw.lxc: |
    lxc.id_map =
    lxc.id_map = u 0 100000 65536
    lxc.id_map = g 0 100000 65536
  user.vendor-data: |
    users:
      - name: root
        groups: sudo
        shell: /bin/bash
        sudo: ALL=(ALL) NOPASSWD:ALL
    packages:
      - bash

My container config:

architecture: x86_64
config:
  boot.autostart: "1"
  volatile.base_image: 069b95ed3a60645ee1905b7625a468d1357f00bd61bf096fc597063c6ed42cf1
  volatile.eth0.hwaddr: 00:16:3e:c3:25:c7
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgi$
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":100000,"Nsid":0,"Maprange":65536},{"Isuid":false$
  volatile.last_state.power: RUNNING
devices:
  root:
    path: /
    type: disk
  project_ssl_stats:
    path: /SSL/stats.project
    source: /var/SSL_certificates/stats.project
    type: disk
  project_ssl_sync:
    path: /SSL/sync.project
    source: /var/SSL_certificates/sync.project
    type: disk
ephemeral: false
profiles:
- root
stateful: false
description: ""

The shared directories in host are owned by root.

I know that my understanding of linux’s users mechanisms are limited, but i don’t understand why this config-set doesn’t works, because that looks like all samples i’ve aready seen on many sources.

Oh and simple/optional/curiosity question :
why the user config file need an empty “lxc.id_map =” ?

Can someone help me ?

stgraber · February 27, 2018, 3:17pm

This may be useful to you: https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/

In general I’d recommend staying away from directly messing with the id map in raw.lxc, LXD has much nicer abstractions for that today which lets you specify exactly what mapping you want for stuff that’s shared with your host.

Arlyss · February 27, 2018, 4:07pm

Thanks for your response stgraber.

I removed my custom settings, apply the default profile to my container, empty my subuid/subgid, and run the process from the link you send to me.

The result is strictly the same
in the container, the directory is owned by nobody:nogroup (65534:65534).

What i’ve done after reset ?

printf “lxd:$(id -u):1\nroot:$(id -u):1\n” | sudo tee -a /etc/subuid

printf “lxd:$(id -g):1\nroot:$(id -g):1\n” | sudo tee -a /etc/subgid

So the subuid/subgid contains:
lxd:0:1
root:0:1

systemctl restart lxd
printf “uid $(id -u) 1000\ngid $(id -g) 1000” | lxc config set test raw.idmap -

result:
error: LXD doesn’t have a uid/gid allocation. In this mode, only privileged containers are supported.

So, as explained in top of the link, i edited subuid/subgid manually (excuse me…):

lxd:100000:1000000000
root:100000:1000000000

i done again :

systemctl restart lxd
printf “uid $(id -u) 1000\ngid $(id -g) 1000” | lxc config set test raw.idmap -

terminated without error.

finally done :

lxc restart MY-CONTAINER

And in the container, as noticed, the directory is owned by nobody.

Am i obliged to do “Per container maps” or “privileged container” ?

stgraber · February 27, 2018, 4:09pm

So with that configuration, something which is owned by uid 1000 on the host will show up as owned by uid 1000 in the container, but that’s only true for uid 1000.

You can adjust raw.idmap to map what you need from the host.

If you need everything or if you need uid 0 from the host mapped, then yeah, a privileged container would be preferable.

Arlyss · February 27, 2018, 5:10pm

I must be dumb…
i don’t want to use privileged containers, but i need shared directory with read/write enabled.

Dumb, but lucky…
I tried to adjust the container idmap, and now, it works !
But i don’t know why.
And i haven’t used correct methods (subuid/dubgid edited directly and profiles edited manually).

What i’ve done :

in /etc/subuid + /etc/subgid :

lxd:100000:1000000000
root:100000:1000000000

in MY-CONTAINER config :

raw.idmap: |-
uid 0 0
gid 0 0

But i don’t understand why it works…
I think that the mapping do a direct link between host and container IDs, but when i do

lxc config get MY-CONTAINER security.privileged

i don’t obtain “true”. It just return a blank result.
Not “true”. So it’s not privileged… ?
If not privileged, why the mounted directory in container is owned by root… ?

Do i have to do

lxc config set MY-CONTAINER security.nesting true

?

Apologizes for spending your time