Thank You Dirk for your response. It was a permission issue and as you suggested corrected the permissions to have unprivileged user full access to container's rootfs and it started working.
Thanks again, Yasoda ---------- Forwarded message ---------- > From: Yasoda Padala <[email protected]> > To: [email protected] > Cc: > Bcc: > Date: Tue, 21 Aug 2018 15:37:49 +0530 > Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID > range for LXC unprivileged containers ?? > Hi Xavier, > Thank you for your response. > I even tried with bigger range, but still no luck. > > in 1st container (cont1) config, > lxc.id_map = u 0 100000 1000 > lxc.id_map = g 0 100000 1000 > & > and in 2nd container (cont2) config: > lxc.id_map = u 0 101500 1000 > lxc.id_map = g 0 101500 1000 > > get the same error > > lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 - > Permission denied - Failed to get real path for > "/home/oxpd/.local/share/lxc/uidranges/rootfs". > > lxc-start 20180817035100.984 ERROR lxc_conf - > conf.c:setup_rootfs:1220 - Failed to mount rootfs > "/home/oxpd/.local/share/lxc/uidranges/rootfs" onto > "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)". > > lxc-start 20180817035100.984 ERROR lxc_conf - > conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges' > > lxc-start 20180817035100.984 ERROR lxc_conf - > conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn > > lxc-start 20180817035100.984 ERROR lxc_start - > start.c:do_start:811 - Failed to setup container "uidranges". > > lxc-start 20180817035100.984 ERROR lxc_sync - > sync.c:__sync_wait:57 - An error occurred in another process (expected > sequence number 3) > > lxc-start 20180817035100.985 ERROR lxc_start - > start.c:__lxc_start:1358 - Failed to spawn container "uidranges". > > lxc-start 20180817035106.524 ERROR lxc_start_ui - > tools/lxc_start.c:main:366 - The container failed to start. > > lxc-start 20180817035106.525 ERROR lxc_start_ui - > tools/lxc_start.c:main:368 - To get more details, run the container in > foreground mode. > > lxc-start 20180817035106.525 ERROR lxc_start_ui - > tools/lxc_start.c:main:370 - Additional information can be obtained by > setting the --logfile and --logpriority options. > > If I try something like below: > in 1st container (cont1) config, > lxc.id_map = u 0 100000 1000 > lxc.id_map = g 0 100000 1000 > > and in 2nd container (cont2) config: > lxc.id_map = u 0 100000 2000 > lxc.id_map = g 0 100000 2000 > > it works, but on the host both the containers created by my lxcuser has > same userid which is 100000. Hence, it is not possible to identify each > container uniquely on host machine > > My query is that, is there any way a non-root user can create various > containers and each container will have unique UserId on the host machine ?? > > Thanks for your help, > Yasoda > > From: Xavier Gendre <[email protected]> > To: [email protected] > Cc: > Bcc: > Date: Mon, 20 Aug 2018 09:24:31 +0200 > Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID > range for LXC unprivileged containers ?? > Hi Yasoda, > > only 10 ids is a bit short for a container. You should increase this > number to cover at least the system ids 0-999. Depending on the > distribution you run in your containers, you can be sharper and only > involve the needed ids but they all have to be covered. > > Xavier > > >> On Fri, Aug 17, 2018 at 9:34 AM Yasoda Padala <[email protected]> >> wrote: >> >>> Hi All, >>> I have created non-root user on my Ubuntu (16.04) machine who creates >>> unprivileged LXC containers. >>> My user's uid/gid on the host is 1000. >>> and below are the entries in /etc/subuid & /etc/subgid files >>> >>> /etc/subuid: >>> lxcuser:100000 65536 >>> >>> /etc/subgid: >>> lxcuser:100000:65536 >>> >>> My requirement is for each LXC unprivileged container, I should be able >>> to pick a UID/GID range. >>> For instance, I have created two LXC containers cont1 and cont2 >>> in cont1 config, I have added the below id mappings >>> lxc.id_map = u 0 100000 10 >>> lxc.id_map = g 0 100000 10 >>> >>> and in con2 config file, I have added the below id mappings >>> lxc.id_map = u 0 100020 10 >>> lxc.id_map = g 0 100020 10 >>> >>> cont1 starts successfullly but cont2 gives the below error while >>> starting the container >>> >>> lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 >>> - Permission denied - Failed to get real path for >>> "/home/oxpd/.local/share/lxc/uidranges/rootfs". >>> >>> lxc-start 20180817035100.984 ERROR lxc_conf - >>> conf.c:setup_rootfs:1220 - Failed to mount rootfs >>> "/home/oxpd/.local/share/lxc/uidranges/rootfs" onto >>> "/usr/lib/x86_64-linux-gnu/lxc" with options "(null)". >>> >>> lxc-start 20180817035100.984 ERROR lxc_conf - >>> conf.c:do_rootfs_setup:3899 - failed to setup rootfs for 'uidranges' >>> >>> lxc-start 20180817035100.984 ERROR lxc_conf - >>> conf.c:lxc_setup:3981 - Error setting up rootfs mount after spawn >>> >>> lxc-start 20180817035100.984 ERROR lxc_start - >>> start.c:do_start:811 - Failed to setup container "uidranges". >>> >>> lxc-start 20180817035100.984 ERROR lxc_sync - >>> sync.c:__sync_wait:57 - An error occurred in another process (expected >>> sequence number 3) >>> >>> lxc-start 20180817035100.985 ERROR lxc_start - >>> start.c:__lxc_start:1358 - Failed to spawn container "uidranges". >>> >>> lxc-start 20180817035106.524 ERROR lxc_start_ui - >>> tools/lxc_start.c:main:366 - The container failed to start. >>> >>> lxc-start 20180817035106.525 ERROR lxc_start_ui - >>> tools/lxc_start.c:main:368 - To get more details, run the container in >>> foreground mode. >>> >>> lxc-start 20180817035106.525 ERROR lxc_start_ui - >>> tools/lxc_start.c:main:370 - Additional information can be obtained by >>> setting the --logfile and --logpriority options. >>> >>> >>> >>> My understanding is lxcuser who has been assigned with id range of >>> 100000-165536 can assign a distinct subuid/gid ranges for each container >>> spawned by lxcuser. >>> >>> is my understanding correct ?? I am not finding any reference documents >>> for custom user mappings for LXC unprivileged containers >>> >>> Any help on this is highly appreciated. >>> >>> >>> >>> Thanks & Regards, >>> >>> Yasoda >>> >>> >>> >>> > > > ---------- Forwarded message ---------- > From: Dirk Geschke <[email protected]> > To: LXC users mailing-list <[email protected]> > Cc: > Bcc: > Date: Tue, 21 Aug 2018 13:39:08 +0200 > Subject: Re: [lxc-users] How can a non-root user assign unique UID/GID > range for LXC unprivileged containers ?? > Hi Yasoda, > > > get the same error > > > > lxc-start 20180817035100.984 ERROR lxc_conf - conf.c:mount_rootfs:798 > - > > Permission denied - Failed to get real path for > > "/home/oxpd/.local/share/lxc/uidranges/rootfs". > > can you check the directory permissions for > > /home/oxpd/.local/share/lxc/uidranges > > I think, they should own the LXC-root but the group should > be yours and mode 770, the group must have full access. > Otherwise the unprivileged user can't access his own > container configuration. > > Best regards > > Dirk > > -- > +----------------------------------------------------------------------+ > | Dr. Dirk Geschke / Plankensteinweg 61 / 85435 Erding | > | Telefon: 08122-559448 / Mobil: 0176-96906350 / Fax: 08122-9818106 | > | [email protected] / [email protected] / [email protected] | > +----------------------------------------------------------------------+ > > _______________________________________________ > lxc-users mailing list > [email protected] > http://lists.linuxcontainers.org/listinfo/lxc-users
_______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
