Problems with id mapping with LXD 3.0.0


(Stephen Nesbitt) #1

All:

I can’t seem to get LXD to recognize id mappings. What am I missing??

Here is what I have in /etc/subuid:

lxd:165536:65536
root:165536:65536
bitbucket:231072:65536
ansible:296608:65536

Here’s /etc/subgid:

lxd:165536:65536
root:165536:65536
bitbucket:231072:65536
ansible:296608:65536

But when I start the lxd daemon the output shows the following mapping:

lvl=info msg=“LXD 3.0.0 is starting in normal mode” path=/var/snap/lxd/common/lxd t=2018-04-26T20:57:02+0000
lvl=info msg=“Kernel uid/gid map:” t=2018-04-26T20:57:02+0000
lvl=info msg=" - u 0 0 4294967295" t=2018-04-26T20:57:02+0000
lvl=info msg=" - g 0 0 4294967295" t=2018-04-26T20:57:02+0000
lvl=info msg=“Configured LXD uid/gid map:” t=2018-04-26T20:57:02+0000
lvl=info msg=" - u 0 1000000 1000000000" t=2018-04-26T20:57:02+0000
lvl=info msg=" - g 0 1000000 1000000000" t=2018-04-26T20:57:02+0000

Thx in advance,

-steve


Changing /etc/subuid is not shown in lxd.log
(Stéphane Graber) #2

That’s expected as the LXD snap doesn’t know about /etc/subuid and /etc/subgid, instead running with a much larger range that’s typically enough for any uses and without restrictions as to what uid/gid it can use if needed.

Is there a particular reason that you need your containers on the 165536 -> 165536+65536 range?


(Stephen Nesbitt) #3

I’m logging in via a Samba provided Windows ADC which has assigned me a user id of uid=1640001106.

I suspect this is causing some issues with chown and the like.

-steve


(Stéphane Graber) #4

Hmm, yeah, that might get you past the 1000000000 uids/gids you get in your container. You’d have the same problem with the original map though.

Your best bet is to tweak your samba config to use a lower base uid or a different way of assigning them. I’m using sssd here for samba4 authentication and those uids usually start around 200000 instead.


(Stephen Nesbitt) #5

Thanks for the info. I’ve turned ldap_id_mapping to false in /etc/sssd.conf and my userid is now 10006. We’ll see if this fixes the problem.

And FYI, there is a ton of information on the web that directs one to modify the /etc/subuid and /etc/subgid files as one means of dealing with user/group mapping. Information that is evidently incorrect regards LXD installed as a snap.

Thx for the help!

-steve


(Stéphane Graber) #6

Yeah, subuid/subgid has been enough of a pain for people to figure out that we’ve decided to not care about it with the snap. The mechanism was designed to enforce slices of uids/gids on a per-user basis, assuming that every user on a system would get their own allocation.

This was and still is used by some users of completely unprivileged LXC, but those are a very small minority. Everyone else runs container managers as root where it makes little sense to go through subuid/subgid when you can access any uid/gid directly anyways.


(Daniel Clavijo Coca) #7

Would it be possible to edit the uids and gids, somewhere in the lxd snap ? like in /etc/
I cannot find the configuration file


(Stéphane Graber) #8

No, the snap environment lack newuidmap/newgidmap, so those two files wouldn’t actually do anything.

If you want a particular map for a container, you can do it through LXD configuration by setting security.idmap.base and security.idmap.size


(Daniel Clavijo Coca) #9

ok, thanks


#10

Do the security.idmap settings actually work with LXD v3.8 snap version? Because when I try they have no impact:

ubuntu@ubuntu% lxc launch ubuntu:18.04 test-lxc8 -c security.idmap.base=165536 -c security.idmap.size=65536
Creating test-lxc8
Starting test-lxc8

ubuntu@ubuntu% $ lxc exec test-lxc8 -- cat /proc/self/uid_map
     0    1000000 1000000000

ubuntu@ubuntu% lxc config show test-lxc8 | grep idmap
security.idmap.base: "165536"
security.idmap.size: "65536"
volatile.idmap.base: "0"
volatile.idmap.next: '[{"Isuid":true,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.idmap: '[{"Isuid":true,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'

#11

Ok, one hour later I figured this out myself:

In LXD 3.8 snap version the values for security.idmap.base and security.idmap.size are only considered with if you also set security.idmap.isolated=true! The result is as expected. Thanks for reading.

ubuntu@ubuntu% lxc config show test-lxc8 | grep idmap
security.idmap.base: "165536"
security.idmap.isolated: "true"
security.idmap.size: "65536"
volatile.idmap.base: "165536"
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":165536,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":165536,"Nsid":0,"Maprange":65536}]'
volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":165536,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":165536,"Nsid":0,"Maprange":65536}]'

ubuntu@ubuntu% lxc exec test-lxc8 -- cat /proc/self/uid_map
     0     165536      65536