Quoting Christoph Willing ([email protected]): > On 23/07/16 18:16, Andreas Vögele wrote: > >Christoph Willing writes: > > > >>I'm following the guide to run X apps in a container at: > >> https://www.stgraber.org/2014/02/09/lxc-1-0-gui-in-containers/ > >> > >>As a starting point, I have a normal unprivileged container running > >>perfectly. However when I change the id_map configuration to look > >>like: > >>lxc.id_map = u 0 100000 1000 > >>lxc.id_map = g 0 100000 1000 > >>lxc.id_map = u 1000 1000 1 > >>lxc.id_map = g 1000 1000 1 > >>lxc.id_map = u 1001 101001 64535 > >>lxc.id_map = g 1001 101001 64535 > >> > >>the container fails to start, claiming: > >> > >>chris@d6:~/.local/share/lxc$ lxc-start -n x11-test-x86_64 -F > >>newuidmap: uid range [1000-1001) -> [1000-1001) not allowed > >>lxc-start: start.c: lxc_spawn: 1161 failed to set up id mapping > >>[...] > >>Can anyone shed light on this problem please? > > > >You've got to add the id to /etc/subuid and /etc/subgid. Example: > > > >chris:1000:1 > >chris:100000:65536 > > Thanks Andreas, > > I had the second line but not the first. The container starts > without error now. > > chris
Note that the 1000 throughout here should be replaced by your real uid and gid. If you just use '1000' but that's not your uid/gid, then you letting your user own someone else's uid/gid. Which means any trojan that runs as you has more privilege than you thought. _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
