On Tue, Nov 08, 2016 at 03:00:48AM +0000, Christian Tardif wrote: > Hi, > > I just faced a strange issue with LXD containers. I'm using them quite > extensively, but never faced that before. Normally, the userID that are > presented to the container (they're coming from SSSD with ActiveDirectory > backend) are relatively low... 2000, 3000, that kind of ID's > > Last friday, at the office, I built two containers (Ubuntu 16.04, CentOS > 7.1) with the same kind of configuration regarding authentication; SSSD. And > I notice that I wasn't able to log in via SSH. But one of my colleague was > able to. We re-checke the config, just to make sure (but at the same time, > it was impossible for this config to fail, as it is presented to the servers > via Puppet. So the same config, and on the same OS level as other installs > (we have numerous Ubuntu 16.04 with the same config, but the first one on > LXD containers). > > We were trying to find out what piece was missing when we discover that this > is not just the logging that fails, but everything related to these high > UserID's. They are coming from a calculation based on Windows SID's for the > user, which gives a huge range of userID's, from a few thousands to tens, if > not hundreds thousands. So with my user, I can't set a permission with it, > and I can't login.In fact, I don't exist with this user other than using > "getent passwd", or "id". > > What can be the cause? Something to do with namespaces, maybe? cgroups? > > We'ew in the dark. And until we can solve this, LXD containers aren't that > helpful to us, unfortunately. > -------------------------------------------------------------------------------- > Christian Tardif
Hey there, By default LXD uses a range of 65536 uid and gid as the user namespace map for the containers. This means that only uid 0 through 65536 exist in your container, anything outside of that will be treated as invalid by the kernel. sssd and similar authentication mechanisms will typically use uids/gids above that POSIX range and so require you to grow the default map size in /etc/subuid and /etc/subgid. On the systems I use with sssd I typically just bump the allocation for lxd and root in /etc/subuid and /etc/subgid from 65536 to 1000000 which takes care of that problem. -- Stéphane Graber Ubuntu developer http://www.ubuntu.com
signature.asc
Description: PGP signature
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
