On 3/12/20 6:10 PM, Daniel Berteaud wrote:

----- Le 12 Mar 20, à 16:35, Frank Thommen f.thom...@dkfz-heidelberg.de a écrit 

Dear all,

we have a strange issue with a CentOS 7 container running on PVE 6.1-3,
that UIDs > 65535 are invalid.  The container is used as a "SSH
jumphost" to access a special network: Users log in to the host and SSH
to the special network from there. sssd is running in the container. The
directory service is an Active Directory.

However users with UID > 65535 cannot login:

Mar 12 13:48:32 XXXXXX sshd[1021]: fatal: seteuid 86544: Invalid argument

and chown isn't possible either:

$ chown 65535 /home/test
$ chown 65536 /home/test
chown: changing ownership of ‘/home/test’: Invalid argument

There are no problems with such UIDs on any other systems and there is
no problem with users with an UID <= 65535 within the container.  I fear
this might be a container-related issue but I don't understand it and I
don't know if there is a solution or a workaround.

Any help or hint is highly appreciated

You can work with higher UID in LXC with this :

   * Edit /etc/subuid and change the range. Eg


   * Do the same for /etc/subgid
   * Edit your container config (/etc/pve/lxc/XXX.conf) and add

lxc.idmap: u 0 100000 2000200000
lxc.idmap: g 0 100000 2000200000

That's the values I'm using for some AD members containers. Note however that 
native PVE restore code might refuse to work with those UID (I recall the 65535 
max UID hardcoded somewhere in the restore path, but can't remember exactly 

Unfortunately that doesn't work. The container will not start any more with the following messages in the debug log (shortened):

lxc-start 101 20200312185335.631 INFO conf - conf.c:run_script_argv:372 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "101", config section "lxc" lxc-start 101 20200312185336.964 DEBUG conf - conf.c:run_buffer:340 - Script exec /usr/share/lxc/hooks/lxc-pve-prestart-hook 101 lxc pre-start produced output: unable to detect OS distribution

lxc-start: 101: conf.c: run_buffer: 352 Script exited with status 2
lxc-start: 101: start.c: lxc_init: 897 Failed to run lxc.hook.pre-start for container "101" lxc-start: 101: start.c: __lxc_start: 2032 Failed to initialize container "101"
Segmentation fault

pve-user mailing list

Reply via email to