On 3/12/20 6:10 PM, Daniel Berteaud wrote:
----- Le 12 Mar 20, à 16:35, Frank Thommen f.thom...@dkfz-heidelberg.de a écrit
:
Dear all,
we have a strange issue with a CentOS 7 container running on PVE 6.1-3,
that UIDs > 65535 are invalid. The container is used as a "SSH
jumphost" to access a special network: Users log in to the host and SSH
to the special network from there. sssd is running in the container. The
directory service is an Active Directory.
However users with UID > 65535 cannot login:
/var/log/secure:
[...]
Mar 12 13:48:32 XXXXXX sshd[1021]: fatal: seteuid 86544: Invalid argument
[...]
and chown isn't possible either:
$ chown 65535 /home/test
$ chown 65536 /home/test
chown: changing ownership of ‘/home/test’: Invalid argument
$
There are no problems with such UIDs on any other systems and there is
no problem with users with an UID <= 65535 within the container. I fear
this might be a container-related issue but I don't understand it and I
don't know if there is a solution or a workaround.
Any help or hint is highly appreciated
You can work with higher UID in LXC with this :
* Edit /etc/subuid and change the range. Eg
root:100000:4000390000
* Do the same for /etc/subgid
* Edit your container config (/etc/pve/lxc/XXX.conf) and add
lxc.idmap: u 0 100000 2000200000
lxc.idmap: g 0 100000 2000200000
That's the values I'm using for some AD members containers. Note however that
native PVE restore code might refuse to work with those UID (I recall the 65535
max UID hardcoded somewhere in the restore path, but can't remember exactly
where)
Unfortunately that doesn't work. The container will not start any more
with the following messages in the debug log (shortened):
------------------------------------------------
[...]
lxc-start 101 20200312185335.631 INFO conf -
conf.c:run_script_argv:372 - Executing script
"/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "101", config
section "lxc"
lxc-start 101 20200312185336.964 DEBUG conf - conf.c:run_buffer:340 -
Script exec /usr/share/lxc/hooks/lxc-pve-prestart-hook 101 lxc pre-start
produced output: unable to detect OS distribution
lxc-start: 101: conf.c: run_buffer: 352 Script exited with status 2
lxc-start: 101: start.c: lxc_init: 897 Failed to run lxc.hook.pre-start
for container "101"
lxc-start: 101: start.c: __lxc_start: 2032 Failed to initialize
container "101"
Segmentation fault
------------------------------------------------
Frank
_______________________________________________
pve-user mailing list
pve-user@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user