1

lxc 20220302000315.323 ERROR lxc_start - start.c:lxc_spawn:1163 - Failed to set up id mapping.

Unprivileged container is not coming up with the below error in the container logs lxc 20220302000315.323 ERROR lxd - start.c:lxc_spawn:1163 -Failed to set up id mapping. lxc 20220302000011.952 ERROR lxc_start - start.c:__lxc_start:1338 - Failed to spawn container "XXX".

I am unable to to know which ID is mismatched to resolve the issue.

How do I know which ID mapping is causing the issue and how to resolve it ?

I tried mapping the ids in "/etc/subgid" and "/etc/subuid" and putting few additional permissions in "/etc/group". But resulting in the same error.

Bindu
  • 11
  • 2
  • please show the content of your ```/etc/subuid``` and /etc/subgid``` with unprivileged containers, you have to start the containers with ```systemd-run --user --scope -p "Delegate=yes" lxc-start -n "$CONTAINER_NAME"``` where "$CONTAINER_NAME" is the name of the container. then, you have mappings specific to the container itself in the config file of your container, please post the content of that also. – fun_times Apr 04 '22 at 13:45
  • There are many ids being mapped and hence wanted to know any command to pin point the ids. But below are your requested entries. subgid mapping lxd:100000:10 lxd:200000:10 lxd:300000:10 lxd:400000:10 lxd:500000:10 lxd:600000:10 lxd:700000:10 lxd:800000:10 lxd:900000:10 lxd:1100000:10 lxd:9011:11 lxd:20:1 lxd:29:1 lxd:2005:1 lxd:2080:3 lxd:2140:1 lxd:4000:1 lxd:10600:4 lxd:10800:1 lxd:14030:1 lxd:17013:1 lxd:17025:1 – Bindu Apr 04 '22 at 14:04
  • subuid mapping lxd:100000:10 lxd:200000:10 lxd:300000:10 lxd:400000:10 lxd:500000:10 lxd:600000:10 lxd:700000:10 lxd:800000:10 lxd:900000:10 lxd:1100000:10 lxd:9011:11 lxd:10800:1 lxd:14030:1 lxd:17013:1 lxd:17025:1 – Bindu Apr 04 '22 at 14:05
  • UID and GID mappings present in config file. lxc.id_map = u 0 1600000 106 lxc.id_map = g 0 1600000 106 lxc.id_map = u 9029 9029 1 lxc.id_map = g 9029 9029 1 lxc.id_map = u 9012 9012 1 lxc.id_map = g 9012 9012 1 lxc.id_map = g 2022 2022 1 lxc.id_map = u 2140 2140 4 lxc.id_map = g 2140 2140 4 lxc.id_map = u 10000 10000 400 lxc.id_map = g 10000 10000 400 lxc.id_map = u 65534 65534 1 lxc.id_map = g 65534 65534 1 – Bindu Apr 04 '22 at 14:05

1 Answers1

0

your mappings look quite wrong... syntax should be :

/etc/subuid

[local unprivileged user on the host that will run the container]:[uid on the host start at(this is inexisting uid on the host and it is ok)]:[number/range of uid to map]

e.g : toto:100000:65535

/etc/subuid

[local unprivileged group on the host that will run the container]:[guid on the host start at(this is inexisting gid on the host and it is ok)]:[number/range of uid to map]

e.g : toto:100000:65535

config

then, in the config file of the container, if you want to restrict the access further, you can do some specific mappings:

lxc.idmap = u 0 100000 1

lxc.idmap = g 0 100000 1

lxc.idmap = u 33 100033 1

lxc.idmap = g 33 100033 1

will map the uid and gid 0 (root) in the container to uid and gid 100000 on the host

will map the uid and gid 33 (www-data) in the container to uid and gid 100033 on the host

fun_times
  • 134
  • 6
  • Added below in subgid file lxd:1600000:106 lxd:9029:1 lxd:9012:1 lxd:2022:1 lxd:2140:4 lxd:10000:400 lxd:65534:1 Added below in subuid file lxd:1600000:106 lxd:9029:1 lxd:9012:1 lxd:2140:4 lxd:10000:400 lxd:65534:1 Still encountering the same error – Bindu Apr 05 '22 at 07:18
  • is lxd the user running the container? can you explain why you map 106 ports on the container starting on the host at 1600000 with : lxd:1600000:106 ? – fun_times Apr 05 '22 at 14:29
  • There are multiple processes running inside the container for which these uids are required to be mapped. – Bindu Apr 06 '22 at 07:32