Raw.idmap - newuidmap failed to write mapping

Incus
1

Hi!

I use host system with my user UID and GID = 1000 and want to use a container which shared with the host system a catalog from host.

incus create ubuntu2310 websurf --profile=default
incus config device add websurf hostfs disk path=/mnt/hostfs source=/home/dv/hostfs

Then I set the custom idmaps:

incus config set websurf raw.idmap='both 1000 1000'

and then start container and got error:

[dv@manjaro ~]$ incus start websurf
Error: Failed to run: /usr/bin/incusd forkstart websurf /var/lib/incus/containers /run/incus/websurf/lxc.conf: exit status 1
Try `incus info --show-log websurf` for more info

[dv@manjaro ~]$ incus info --show-log websurf
Name: websurf
Status: STOPPED
Type: container
Architecture: x86_64
Created: 2024/02/29 09:44 MSK
Last Used: 2024/02/29 10:15 MSK

Log:

lxc websurf 20240229071556.860 ERROR    conf - ../src/lxc/conf.c:lxc_map_ids:3701 - newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1000-1001) not allowed": newuidmap 52593 0 1000000 1000 1000 1000 1 1001 1001001 64535
lxc websurf 20240229071556.860 ERROR    start - ../src/lxc/start.c:lxc_spawn:1788 - Failed to set up id mapping.
lxc websurf 20240229071556.860 ERROR    lxccontainer - ../src/lxc/lxccontainer.c:wait_on_daemonized_start:878 - Received container state "ABORTING" instead of "RUNNING"
lxc websurf 20240229071556.861 ERROR    start - ../src/lxc/start.c:__lxc_start:2107 - Failed to spawn container "websurf"
lxc websurf 20240229071556.861 WARN     start - ../src/lxc/start.c:lxc_abort:1036 - No such process - Failed to send SIGKILL via pidfd 17 for process 52593
lxc 20240229071556.885 ERROR    af_unix - ../src/lxc/af_unix.c:lxc_abstract_unix_recv_fds_iov:218 - Connection reset by peer - Failed to receive response
lxc 20240229071556.885 ERROR    commands - ../src/lxc/commands.c:lxc_cmd_rsp_recv_fds:128 - Failed to receive file descriptors for command "get_init_pid"

My SubUID and SubGID:

cat /etc/sub{uid,gid}

root:1000000:65536
root:1000000:65536

How to mapped UID/GID inside the container for user=ubuntu(uid=1000) and host system user uid=1000?

2

On my Ubuntu 22.04 cat /etc/sub{uid,gid} shows my user instead of root:

myuser:100000:65536

If you have kernel 6.2+ you can try removing raw.idmap and adding shared folder with option shift=true:

incus config device add websurf hostfs disk shift=true path=/mnt/hostfs source=/home/dv/hostfs
1 Like
3

Hi!

I use Manjaro Linux which uses last kernel - 6.7.6 and If I change subUID/subGID parameters for my host to dv (my user) instead root:

[dv@manjaro ~]$ cat /etc/sub{uid,gid}
dv:1000000:65536
dv:1000000:65536

then I get an error for any operation incus, for example if recreate the container:

[dv@manjaro ~]$ incus create ubuntu2310 websurf --profile=default

Creating websurf
Error: Failed creating instance record: Failed initialising instance: Invalid config: No uid/gid allocation configured. In this mode, only privileged containers are supported

I tried option shift, it works for me! Thanks!

4

You currently have:

root:1000000:65536

In both subuid and subgid.

To allow raw.idmap: both 1000 1000, you’re going to need both files to contain:

root:1000000:65536
root:1000:1
1 Like
5

Incus only considers allocations for the root user, allocations for other users, even if they match the user interacting with Incus will not have any effect.

The only reason why @qkiel probably has it working is because their system likely doesn’t have the uidmap package installed and therefore does not actually enforce the content of the subuid/subgid files.

1 Like
6

This answer allows me for the first time to “understand” the subuid/subgid files. :sweat_smile:

1 Like
7

Me too. Thanks @stgraber