On 14/10/2016 12:34, Brian Candler wrote:


[root@test ~]# su - admin
*su: cannot set groups: Invalid argument*

So I'm wondering about the best way to deal with this.

(1) I can try to configure FreeIPA to allocate uids in the "low" range, say 2000+.

(2) I can try to do get lxd to map a larger range, for example map 1134400000 upwards to 2134400000 on the host. But are there problems in that approach? Is there a reason why the default lxd config only maps 64K worth of uids?

or option (3): just run all containers in privileged mode. This "just works".

[root@test ~]# id
uid=0(root) gid=0(root) groups=0(root)
[root@test ~]# su - admin
su: warning: cannot change directory to /home/admin: No such file or directory
-bash-4.2$ id
uid=1134400000(admin) gid=1134400000(admins) groups=1134400000(admins)


Question 1: does security.privileged only affect whether uid mapping is done, or are there other rights it gives to the container? I have tried googling for this, I can't haven't been able to find out *exactly* what security.privileged changes.

Question 2: it seems the uids get fixed automatically. Is lxd simply chown'ing all the files recursively, or is there some mapping option set at mount time, or something else?

$ lxc stop test
$ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
total 74
lrwxrwxrwx  1 100000 100000   7 Oct 14 03:20 bin -> usr/bin
dr-xr-xr-x  3 100000 100000   3 Oct 14 11:35 boot
$ lxc config set test security.privileged true
$ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
total 74
lrwxrwxrwx  1 100000 100000   7 Oct 14 03:20 bin -> usr/bin
dr-xr-xr-x  3 100000 100000   3 Oct 14 11:35 boot
$ lxc start test
$ sudo ls -l /var/lib/lxd/containers/test/rootfs/ | head -3
total 74
lrwxrwxrwx  1 root root   7 Oct 14 03:20 bin -> usr/bin
dr-xr-xr-x  3 root root   3 Oct 14 11:35 boot
$

Thanks,

Brian.
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Reply via email to