[Pkg-shadow-devel] [test] newuidmap/newgidmap

Philippe Grégoire gregoirep at hotmail.com
Tue Jun 3 19:14:33 UTC 2014 

On 2014-06-03 18:52:57 (+0000), Serge Hallyn wrote:
> Quoting Philippe Grégoire (gregoirep at hotmail.com):
> > 
> > TLDR; no easy solution. Either the /etc/subuid is in the kernel and we remove
> > the file. Or newuidmap reflects the kernel, and they must be kept in sync.
> 
> Allowed subuids represent policy which as much as possible belongs in
> userspace, not the kernel.
> 
> > I had to play with it because lxc is broken on Debian, and Ubuntu. Quickly, I
> > can create a container as a unprivileged user but running it produces:
> > 
> >   'Error creating container whatever'
> 
> serge at sergelap:~$ lxc-usernsexec
> # id
> uid=0(root) gid=0(root) groups=0(root)
> 
Hardly impressing...

> > which is, quite frankly, purely unsatisfying. What am I expected to do with that
> > error message? What am I suppose to investigate? Also, why would cgroups be
> > mandatory? etc. But that is another topic; and I am no longer interested in lxc
> > (version 1.x? -- please...).
> ...

Better! On sid ...

pg at p01:~$ sudo /bin/echo 1 > /proc/sys/kernel/unprivileged_userns_clone
pg at p01:~$ grep pg /etc/sub*id
pg:200000:65536
pg:200000:65536
pg at p01:~$ mkdir ~/.config/lxc
pg at p01:~$ printf "lxc.id_map = u 0 200000 65536\nlxc.id_map = g 0 200000 65536\n" > ~/.config/lxc/default.conf
pg at p01:~$ lxc-create -l DEBUG -o lxc.log -n whatever
Error creating container whatever
pg at p01:~$ cat lxc.log
     lxc-create 1401822796.086 INFO     lxc_utils - XDG_RUNTIME_DIR isn't set in the environment.
     lxc-create 1401822796.086 WARN     lxc_log - lxc_log_init called with log already initialized
     lxc-create 1401822796.086 INFO     lxc_confile - read uid map: type u nsid 0 hostid 200000 range 65536
     lxc-create 1401822796.087 INFO     lxc_confile - read uid map: type g nsid 0 hostid 200000 range 65536
     lxc-create 1401822796.087 ERROR    lxc_create_ui - Error creating container whatever

> 
> > Also, I yet have to see an official user_namespaces(7) (which newuidmap(1)
> > refers to) which would probably instruct how to use uid_map.
> 
> I already owe Michael a cgroups(7) manpage (in progress).  I'm certain there
> is a namespaces(7) man page in progress, but I'll see if I can help out with
> it.
> 
> -serge

More information about the Pkg-shadow-devel mailing list