Hello everyone, i have a problem with containers. I am using Arch-linux , i have complete sudo access to all servers,laptops and VMs which are a part of the same server that i work on. surprisingly i dont have sudo access on containers! i am in group of admin and sudoers but it just doesn’t let me to run any command with sudo. and shows me this error : Sorry, user <Name> may not run sudo on <name of the container>
when i run id , it shows my uid but not my uid as an admin, ( groups: admin) which i guess it can be a probme with user identifires inside the container.
any Idea?
Thanks in advance
Are you accessing the instance with lxc shell $instance
, lxc exec $instance -- bash
or some lxc exec
variant?
Yes i have access to instance’s bash by: sudo lxc exec $instance —bash
Once in the instance with that command, you can probably switch to your “normal” user using su - $user
. This will ensure that the $user gets it’s supplementary groups (like the admin
one) configured. The supplementary group handling is not happening when you simply lxc exec
into an instance.
i tried that either, it didn’t help. i switched to my user and it still doesnt let me run any command with sudo . by the way admin group has to give me the whole access and when i check it by getent group | grep admin my user is there! but still it doen’t let me to run sudo .
If id | grep -Fw admin
works, maybe the issue is with the sudoers rule?
it can’t be, because they wok fine with VMS , servers and laptops. my guess is about ID mapping. i found this which i belive it makes the problem :
❯ cat /etc/lxc/default.conf
lxc.net.0.type = empty
lxc.idmap = u 0 100000 2000000000
lxc.idmap = g 0 100000 2000000000
❯ cat /etc/subuid
root:100000:2000000000
admin:100000:2000000000
❯ cat /etc/subgid
root:100000:2000000000
admin:100000:2000000000
i changed them to 100000:65536 but i got error when i tried to restart the container.
The LXD snap doesn’t use /etc/subuid
nor /etc/subgid
so I don’t think that’s related.
when i run $id it should show me 7 id es, uid, gid, groups ( 5 different groups) . but inside the container it just shows me 5 different id es, uid,gid ,groups(3 different groups) . one of the groups that missing is group admin which is give me sudo privilages. while as i said getent shows me that i am in the group of admin.
i am using network authentication, can it be the problem?
It looks like the problem you are facing is a configuration issue more than a container/LXD problem.
i actually find a way to add my self to the admins group which gives me sudo access by : newgrp admins
. it even doesn’t need sudo. but the problem is that every time i am login and logout i loss my access and i have to do it again.
it looks like a timing problem. when i am login it doesn’t underestand i am in that group. but after beacuse i am in the group i can add my self easily. still looking for a way to make it permenant
Hi,
I have not familiar with Archlinux and if I understand the post well, you can achieve like that.
In container.
useradd admin -m -s /bin/bash --> create admin user
usermod -aG wheel admin --> add admin user to the wheel group
passwd admin --> assign a password to the admin user
Then, modify the /etc/sudoers file with visudo and uncomment the wheel line, save and exit.
When you access the container like that lxc shell <container_name> -- su admin
you can make whatever you want with admin user with entering the password. I hope I understand and replied with the correct answer.
Regards.
it is actually solved my problem. i add my selfe to the wheel. but i couldn’t find out the reason why i didn’t have sudo access before that, because i was in the admins and admins was in the wheel.