Again, you solved my problems :-)
That did the job. I have been struggling with this problem over the
weekend, without any path to this. I understand that this is a
Linux-related "issue", and not at all directly related to LXD. I'll
remember that!
On another idea... do you have any plan to support IPVLAN directly in
LXD? For our use case (we're deploying LXC containers inside Openstack
instances), the only viable way without too much hassle on the
entworking side is to use IPVLAN but, right now, this requests to have
pre-populated IPVLAN network devices outside of the LXD environment.
---
Christian Tardif
-------------------------
On 2016-11-08 00:11, Stéphane Graber wrote:
On Tue, Nov 08, 2016 at 03:00:48AM +0000, Christian Tardif wrote:
Hi,
I just faced a strange issue with LXD containers. I'm using them quite
extensively, but never faced that before. Normally, the userID that
are
presented to the container (they're coming from SSSD with
ActiveDirectory
backend) are relatively low... 2000, 3000, that kind of ID's
Last friday, at the office, I built two containers (Ubuntu 16.04,
CentOS
7.1) with the same kind of configuration regarding authentication;
SSSD. And
I notice that I wasn't able to log in via SSH. But one of my colleague
was
able to. We re-checke the config, just to make sure (but at the same
time,
it was impossible for this config to fail, as it is presented to the
servers
via Puppet. So the same config, and on the same OS level as other
installs
(we have numerous Ubuntu 16.04 with the same config, but the first one
on
LXD containers).
We were trying to find out what piece was missing when we discover
that this
is not just the logging that fails, but everything related to these
high
UserID's. They are coming from a calculation based on Windows SID's
for the
user, which gives a huge range of userID's, from a few thousands to
tens, if
not hundreds thousands. So with my user, I can't set a permission
with it,
and I can't login.In fact, I don't exist with this user other than
using
"getent passwd", or "id".
What can be the cause? Something to do with namespaces, maybe?
cgroups?
We'ew in the dark. And until we can solve this, LXD containers aren't
that
helpful to us, unfortunately.
--------------------------------------------------------------------------------
Christian Tardif
Hey there,
By default LXD uses a range of 65536 uid and gid as the user namespace
map for the containers.
This means that only uid 0 through 65536 exist in your container,
anything outside of that will be treated as invalid by the kernel.
sssd and similar authentication mechanisms will typically use uids/gids
above that POSIX range and so require you to grow the default map size
in /etc/subuid and /etc/subgid.
On the systems I use with sssd I typically just bump the allocation for
lxd and root in /etc/subuid and /etc/subgid from 65536 to 1000000 which
takes care of that problem.
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________
lxc-users mailing list
[email protected]
http://lists.linuxcontainers.org/listinfo/lxc-users
