Setgid: Operation not permitted

KajWiik · April 9, 2019, 1:34pm

I have an unprivileged container with Ubuntu 18.04 with autossh for remote port forwarding.

Everything worked fine until I tried to bind mount a NFS disk (mounted to host) to the container with uid=33 gid=33. What is curious, everything worked for a while but then a user reported that he cannot access to that disk. And indeed, it was mounted now in the container as nobody uid/gid.

In the process of debugging, I removed the bind mount and rebooted the container. After reboot su stopped working:

setgid: Operation not permitted

I have rebooted the container and done lxd init --auto but nothing works. I have several almost identical containers where su definitely works.

As this is a production container I am in a state of panic. Please help!

$ lxc config show nutslxc --expanded
architecture: x86_64
config:
  boot.autostart: "1"
  image.architecture: amd64
  image.description: Ubuntu bionic amd64 (20190118_07:43)
  image.os: Ubuntu
  image.release: bionic
  image.serial: "20190118_07:43"
  raw.idmap: |
    uid 42000 0
    gid 42000 0
    uid 1100 1100
    gid 1100 1100
  volatile.base_image: 0c82dce424ee4180b461439b35482c1dac67737ef7999a92099a3f9cecca527b
  volatile.eth0.hwaddr: 00:16:3e:3f:5e:f8
  volatile.idmap.base: "0"
  volatile.idmap.next: '[{"Isuid":true,"Isgid":true,"Hostid":42000,"Nsid":0,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":100001,"Nsid":1,"Maprange":1099},{"Isuid":true,"Isgid":true,"Hostid":1100,"Nsid":1100,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":101101,"Nsid":1101,"Maprange":998899},{"Isuid":true,"Isgid":true,"Hostid":42000,"Nsid":0,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":100001,"Nsid":1,"Maprange":1099},{"Isuid":true,"Isgid":true,"Hostid":1100,"Nsid":1100,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":101101,"Nsid":1101,"Maprange":998899}]'
  volatile.last_state.idmap: '[{"Isuid":true,"Isgid":true,"Hostid":42000,"Nsid":0,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":100001,"Nsid":1,"Maprange":1099},{"Isuid":true,"Isgid":true,"Hostid":1100,"Nsid":1100,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":101101,"Nsid":1101,"Maprange":998899},{"Isuid":true,"Isgid":true,"Hostid":42000,"Nsid":0,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":100001,"Nsid":1,"Maprange":1099},{"Isuid":true,"Isgid":true,"Hostid":1100,"Nsid":1100,"Maprange":1},{"Isuid":true,"Isgid":true,"Hostid":101101,"Nsid":1101,"Maprange":998899}]'
  volatile.last_state.power: RUNNING
devices:
  eth0:
    name: eth0
    nictype: bridged
    parent: lxdbr0
    type: nic
  home-nutslxc:
    path: /home
    source: /srv/raid/homes/nutslxc
    type: disk
  nutslxcshare:
    path: /not_lp
    source: /srv/tuorla_01/not_lp
    type: disk
  root:
    path: /
    pool: lxdpool1
    type: disk
  shared-nutslxc:
    path: /srv/shared
    source: /srv/raid/homes/shared
    type: disk
  ssd-nutslxc:
    path: /srv/ssd
    source: /srv/ssd/nutslxc
    type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""

KajWiik · April 10, 2019, 9:26am

Bit more information: the owner of some files have changed to x + 100000 where x = 42000 (the base root uid&gid).

This is even if I have /etc/sub[gu]id

lxd:42000:1
root:42000:1

and raw.idmap

uid 42000 0
gid 42000 0

And only some of / files, why?