Hi David. > 2) Unsure what you're attempting to accomplish modifying idmaps + restarting > LXD. Maybe you're attempting to defeat container security.
> A better way to do this is... > lxc config set cname security.privileged true > lxc restart cname I didn't understand this suggestion earlier because I assumed I wasn't trying to "defeat container security". Basically, your suggestion was the solution to my problem. Making it a privileged container allows me to perform a chown mysql:mysql within the container now since it's the same mysql:mysql of the host. However, I am wondering... using 'security.privileged true' makes the host root available within the container right? Since this is just a development environment, it doesn't matter to me... but would this be dangerous in a production system? If so, is there a way to do this for just the one mysql:mysql? Just curious... but my problem is solved now. I should have tried your suggestion right away. Thank you so much for the assistance. On Mon, Jul 9, 2018 at 5:35 PM, David Favor <[email protected]> wrote: > Tony P wrote: >> >> What's the correct way to share the mysql/mariadb data dir of the host >> system to a container and map the permissions correctly? I have been >> struggling with this for a couple of days. I'm sorry if this question has >> been asked before, but I have searched thoroughly and not been able to find >> the solution yet. Basically what I have done so far: >> >> Install mariadb-server on both host and container and: >> >> $ printf "lxd:$(id -u mysql):1\nroot:$(id -u mysql):1\n" | sudo tee -a >> /etc/subuid >> $ printf "lxd:$(id -g mysql):1\nroot:$(id -g mysql):1\n" | sudo tee -a >> /etc/subgid >> $ sudo systemctl restart lxd >> $ printf "uid $(id -u mysql) 1000\ngid $(id -g mysql) 1000" | lxc config >> set $CONTAINER_NAME raw.idmap - >> $ lxc restart $CONTAINER_NAME >> $ sudo lxc config device add $CONTAINER_NAME mysql disk >> source=/var/lib/mysql path=/var/lib/mysql >> Unfortunately, this breaks the container and prevents it from starting >> since the mapping isn't allowed. >> >> $ sudo lxc info --show-log ub1804x64-3 >> >> Name: ub1804x64-3 >> Remote: unix:// >> Architecture: x86_64 >> Created: 2018/07/09 15:30 UTC >> Status: Stopped >> Type: persistent >> Profiles: default >> >> Log: >> >> lxc ub1804x64-3 20180709154554.682 ERROR lxc_conf - >> conf.c:lxc_map_ids:2919 - newuidmap failed to write mapping "newuidmap: uid >> range [1000-1001) -> [114-115) not allowed": newuidmap 6725 0 100000 1000 >> 1000 114 1 1001 101001 64535 >> lxc ub1804x64-3 20180709154554.682 ERROR lxc_start - >> start.c:lxc_spawn:1661 - Failed to set up id mapping. >> lxc ub1804x64-3 20180709154554.755 WARN lxc_network - >> network.c:lxc_delete_network_priv:2607 - Failed to remove interface >> "veth38DOB9" from "lxdbr0": Invalid argument >> lxc ub1804x64-3 20180709154554.755 ERROR lxc_container - >> lxccontainer.c:wait_on_daemonized_start:834 - Received container state >> "ABORTING" instead of "RUNNING" >> lxc ub1804x64-3 20180709154554.756 ERROR lxc_start - >> start.c:__lxc_start:1887 - Failed to spawn container "ub1804x64-3" >> lxc 20180709154554.775 WARN lxc_commands - >> commands.c:lxc_cmd_rsp_recv:130 - Connection reset by peer - Failed to >> receive response for command "get_state" >> I'm basically following this article >> (https://stgraber.org/2017/06/15/custom-user-mappings-in-lxd-containers/) >> written by Stéphane Graber (the super awesome primary LXD developer) to >> achieve this. I'll admit that I don't fully understand what's going on here, >> if someone could help me understand my mistake a bit better, I'd really >> appreciate it. I have a feeling I have the range wrong (1000?). I previously >> attempted doing the same by manually adding the mysql user/group and trying >> to map those (instead of installing mysql), but that also didn't work out >> (Same error). This is what I tried before trying the mapping): >> >> $ sudo groupadd mysql >> $ sudo useradd -r -g mysql mysql >> >> I also tried with: $ printf "both $(id -u mysql) $(id -u mysql)" | lxc >> config set $CONTAINER_NAME raw.idmap - >> >> Then the error I get is: >> >> $ sudo lxc info --show-log tmp3 >> >> Name: tmp3 >> Remote: unix:// >> Architecture: x86_64 >> Created: 2018/07/09 20:32 UTC >> Status: Stopped >> Type: persistent >> Profiles: default >> >> Log: >> >> lxc tmp3 20180709204423.805 ERROR lxc_conf - conf.c:lxc_map_ids:2919 - >> newgidmap failed to write mapping "newgidmap: gid range [114-115) -> >> [114-115) not allowed": newgidmap 30081 114 114 1 0 100000 114 115 100115 >> 65421 >> lxc tmp3 20180709204423.805 ERROR lxc_start - start.c:lxc_spawn:1661 - >> Failed to set up id mapping. >> lxc tmp3 20180709204423.876 WARN lxc_network - >> network.c:lxc_delete_network_priv:2607 - Failed to remove interface >> "vethYL869L" from "lxdbr0": Invalid argument >> lxc tmp3 20180709204423.876 ERROR lxc_container - >> lxccontainer.c:wait_on_daemonized_start:834 - Received container state >> "ABORTING" instead of "RUNNING" >> lxc tmp3 20180709204423.877 ERROR lxc_start - start.c:__lxc_start:1887 >> - Failed to spawn container "tmp3" >> lxc 20180709204423.897 WARN lxc_commands - >> commands.c:lxc_cmd_rsp_recv:130 - Connection reset by peer - Failed to >> receive response for command "get_state" >> >> >> I'm using LXD 3.0.1 running on host Ubuntu 18.04 amd64 and testing with a >> Ubuntu 18.04 amd64 container >> >> Thanks for your help in advance!! > > > Things to keep in mind. > > 1) If you end up with a machine level instance of MariaDB running along > with a container level instance of MariaDB running with a shared > /var/lib/mysql, then all your data will be corrupt. > > Likely best to have a machine level database directory named > something different than /var/lib/mysql, in case you ever accidentally > install a machine level version of mariadb-server packages. > > 2) Unsure what you're attempting to accomplish modifying idmaps + restarting > LXD. Maybe you're attempting to defeat container security. > > A better way to do this is... > > lxc config set cname security.privileged true > lxc restart cname > > 3) All this said, likely be useful for you to describe your target > objective. > > Likely knowing this, someone has already accomplished what you're trying > to accomplish + will have some good suggestions. > > 4) Keep in mind, depending on how you finalize all this, container > remote move + copy operations may fail to clone your database data. > > Even if you do end up with a /var/lib/mysql in your newly created > remote container, you'll likely loose your machine/container > filesystem mapping. > > > > > > > > > > > > > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
