Re: [PVE-User] UIDs > 65535 not valid in container
On 17.03.20 09:33, Dietmar Maurer wrote: Does anyone have an assessment of the risk we would run? I still don't understand the security implications of the mapping of higher UIDs. However this is quickly becoming a major issue for us. The risk is that it is not supported by us. Thus, we do not test that and I do not know what problems this may trigger... ok. I will take the risk then, because w/o that mapping we cannot use the containers. Thanks Frank ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] UIDs > 65535 not valid in container
> Does anyone have an assessment of the risk we would run? I still don't > understand the security implications of the mapping of higher UIDs. > However this is quickly becoming a major issue for us. The risk is that it is not supported by us. Thus, we do not test that and I do not know what problems this may trigger... ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] UIDs > 65535 not valid in container
Dear all, On 13.03.20 14:13, Frank Thommen wrote: On 3/12/20 7:58 PM, Frank Thommen wrote: On 3/12/20 5:57 PM, Dietmar Maurer wrote: I fear this might be a container-related issue but I don't understand it and I don't know if there is a solution or a workaround. Any help or hint is highly appreciated Yes, we only map 65535 IDs for a single container. We cannot allow the full range for security reasons. What is the security related impact of higher UIDs? This is kind of a showstopper for us, as we planned several such minimal services which all need to be able to map all existing UIDs in the AD. The idea was to move them away from heavy full VMs to more lightweight containers. Or the other way round: What are the risks if we change the hardcoded limits in /usr/share/perl5/PVE/LXC.pm? (apart from the fact, that we will have to port the changes after each update and upgrade) Does anyone have an assessment of the risk we would run? I still don't understand the security implications of the mapping of higher UIDs. However this is quickly becoming a major issue for us. Cheers Frank ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] UIDs > 65535 not valid in container
On 3/12/20 7:58 PM, Frank Thommen wrote: On 3/12/20 5:57 PM, Dietmar Maurer wrote: I fear this might be a container-related issue but I don't understand it and I don't know if there is a solution or a workaround. Any help or hint is highly appreciated Yes, we only map 65535 IDs for a single container. We cannot allow the full range for security reasons. What is the security related impact of higher UIDs? This is kind of a showstopper for us, as we planned several such minimal services which all need to be able to map all existing UIDs in the AD. The idea was to move them away from heavy full VMs to more lightweight containers. Or the other way round: What are the risks if we change the hardcoded limits in /usr/share/perl5/PVE/LXC.pm? (apart from the fact, that we will have to port the changes after each update and upgrade) frank ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] UIDs > 65535 not valid in container
On 3/12/20 5:57 PM, Dietmar Maurer wrote: I fear this might be a container-related issue but I don't understand it and I don't know if there is a solution or a workaround. Any help or hint is highly appreciated Yes, we only map 65535 IDs for a single container. We cannot allow the full range for security reasons. What is the security related impact of higher UIDs? This is kind of a showstopper for us, as we planned several such minimal services which all need to be able to map all existing UIDs in the AD. The idea was to move them away from heavy full VMs to more lightweight containers. Frank ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] UIDs > 65535 not valid in container
On 3/12/20 6:10 PM, Daniel Berteaud wrote: - Le 12 Mar 20, à 16:35, Frank Thommen f.thom...@dkfz-heidelberg.de a écrit : Dear all, we have a strange issue with a CentOS 7 container running on PVE 6.1-3, that UIDs > 65535 are invalid. The container is used as a "SSH jumphost" to access a special network: Users log in to the host and SSH to the special network from there. sssd is running in the container. The directory service is an Active Directory. However users with UID > 65535 cannot login: /var/log/secure: [...] Mar 12 13:48:32 XX sshd[1021]: fatal: seteuid 86544: Invalid argument [...] and chown isn't possible either: $ chown 65535 /home/test $ chown 65536 /home/test chown: changing ownership of ‘/home/test’: Invalid argument $ There are no problems with such UIDs on any other systems and there is no problem with users with an UID <= 65535 within the container. I fear this might be a container-related issue but I don't understand it and I don't know if there is a solution or a workaround. Any help or hint is highly appreciated You can work with higher UID in LXC with this : * Edit /etc/subuid and change the range. Eg root:10:400039 * Do the same for /etc/subgid * Edit your container config (/etc/pve/lxc/XXX.conf) and add lxc.idmap: u 0 10 200020 lxc.idmap: g 0 10 200020 That's the values I'm using for some AD members containers. Note however that native PVE restore code might refuse to work with those UID (I recall the 65535 max UID hardcoded somewhere in the restore path, but can't remember exactly where) Unfortunately that doesn't work. The container will not start any more with the following messages in the debug log (shortened): [...] lxc-start 101 20200312185335.631 INFO conf - conf.c:run_script_argv:372 - Executing script "/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "101", config section "lxc" lxc-start 101 20200312185336.964 DEBUGconf - conf.c:run_buffer:340 - Script exec /usr/share/lxc/hooks/lxc-pve-prestart-hook 101 lxc pre-start produced output: unable to detect OS distribution lxc-start: 101: conf.c: run_buffer: 352 Script exited with status 2 lxc-start: 101: start.c: lxc_init: 897 Failed to run lxc.hook.pre-start for container "101" lxc-start: 101: start.c: __lxc_start: 2032 Failed to initialize container "101" Segmentation fault Frank ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] UIDs > 65535 not valid in container
- Le 12 Mar 20, à 16:35, Frank Thommen f.thom...@dkfz-heidelberg.de a écrit : > Dear all, > > we have a strange issue with a CentOS 7 container running on PVE 6.1-3, > that UIDs > 65535 are invalid. The container is used as a "SSH > jumphost" to access a special network: Users log in to the host and SSH > to the special network from there. sssd is running in the container. The > directory service is an Active Directory. > > However users with UID > 65535 cannot login: > > /var/log/secure: > [...] > Mar 12 13:48:32 XX sshd[1021]: fatal: seteuid 86544: Invalid argument > [...] > > > and chown isn't possible either: > > $ chown 65535 /home/test > $ chown 65536 /home/test > chown: changing ownership of ‘/home/test’: Invalid argument > $ > > > There are no problems with such UIDs on any other systems and there is > no problem with users with an UID <= 65535 within the container. I fear > this might be a container-related issue but I don't understand it and I > don't know if there is a solution or a workaround. > > Any help or hint is highly appreciated You can work with higher UID in LXC with this : * Edit /etc/subuid and change the range. Eg root:10:400039 * Do the same for /etc/subgid * Edit your container config (/etc/pve/lxc/XXX.conf) and add lxc.idmap: u 0 10 200020 lxc.idmap: g 0 10 200020 That's the values I'm using for some AD members containers. Note however that native PVE restore code might refuse to work with those UID (I recall the 65535 max UID hardcoded somewhere in the restore path, but can't remember exactly where) ++ -- [ https://www.firewall-services.com/ ] Daniel Berteaud FIREWALL-SERVICES SAS, La sécurité des réseaux Société de Services en Logiciels Libres Tél : +33.5 56 64 15 32 Matrix: @dani:fws.fr [ https://www.firewall-services.com/ | https://www.firewall-services.com ] ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
Re: [PVE-User] UIDs > 65535 not valid in container
> I fear > this might be a container-related issue but I don't understand it and I > don't know if there is a solution or a workaround. > > Any help or hint is highly appreciated Yes, we only map 65535 IDs for a single container. We cannot allow the full range for security reasons. ___ pve-user mailing list pve-user@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user