[opensuse-factory] Howto setup /etc/subuid and /etc/subgid?
Since some weeks my LXC guests do not start anymore on Tumbleweed. After some debugging I found this possible cause: $ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority INFO $ grep ERROR libvirt.log lxc-start 20170803204255.404 ERROR lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping. lxc-start 20170803204255.451 ERROR lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "ubuntu-xenial". lxc-start 20170803204255.994 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start. lxc-start 20170803204255.994 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options. Some comments (like here https://github.com/anbox/anbox/issues/201#issuecomment-297907694) suggest to setup /etc/subuid and /etc/subgid correctly. But what is the correct content? Could someone give me an example /etc/subuid and /etc/subgid file? (On my TW installation both files do not exist. On another PC with Leap 42.2 I have both files, but /etc/subuid and /etc/subgid was somehow filled with the three users and groups, which I recently created with useradd and groupadd.) Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Bjoern Voigt wrote:
Since some weeks my LXC guests do not start anymore on Tumbleweed.
After some debugging I found this possible cause:
$ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority INFO $ grep ERROR libvirt.log lxc-start 20170803204255.404 ERROR lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping. lxc-start 20170803204255.451 ERROR lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "ubuntu-xenial". lxc-start 20170803204255.994 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start. lxc-start 20170803204255.994 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
Some comments (like here https://github.com/anbox/anbox/issues/201#issuecomment-297907694) suggest to setup /etc/subuid and /etc/subgid correctly.
But what is the correct content? Could someone give me an example /etc/subuid and /etc/subgid file?
(On my TW installation both files do not exist. On another PC with Leap 42.2 I have both files, but /etc/subuid and /etc/subgid was somehow filled with the three users and groups, which I recently created with useradd and groupadd.) Simply adding mapping for root in /etc/subuid and /etc/subgid does not help. The errors are the same like above.
mybox:~ # cat /etc/subuid root:100000:65536 mybox:~ # cat /etc/subgid root:100000:65536 Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Bjoern Voigt wrote:
Since some weeks my LXC guests do not start anymore on Tumbleweed.
After some debugging I found this possible cause:
$ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority INFO $ grep ERROR libvirt.log lxc-start 20170803204255.404 ERROR lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping. lxc-start 20170803204255.451 ERROR lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "ubuntu-xenial". lxc-start 20170803204255.994 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start. lxc-start 20170803204255.994 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
Some comments (like here https://github.com/anbox/anbox/issues/201#issuecomment-297907694) suggest to setup /etc/subuid and /etc/subgid correctly.
But what is the correct content? Could someone give me an example /etc/subuid and /etc/subgid file?
(On my TW installation both files do not exist. On another PC with Leap 42.2 I have both files, but /etc/subuid and /etc/subgid was somehow filled with the three users and groups, which I recently created with useradd and groupadd.) It works now without a configuration change. Self-healing effect?
Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Bjoern Voigt wrote:
Bjoern Voigt wrote:
Since some weeks my LXC guests do not start anymore on Tumbleweed.
After some debugging I found this possible cause:
$ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority INFO $ grep ERROR libvirt.log lxc-start 20170803204255.404 ERROR lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping. lxc-start 20170803204255.451 ERROR lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "ubuntu-xenial". lxc-start 20170803204255.994 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start. lxc-start 20170803204255.994 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
Some comments (like here https://github.com/anbox/anbox/issues/201#issuecomment-297907694) suggest to setup /etc/subuid and /etc/subgid correctly.
But what is the correct content? Could someone give me an example /etc/subuid and /etc/subgid file?
(On my TW installation both files do not exist. On another PC with Leap 42.2 I have both files, but /etc/subuid and /etc/subgid was somehow filled with the three users and groups, which I recently created with useradd and groupadd.) It works now without a configuration change. Self-healing effect? No, I was wrong. Setuid bit is necessary for /usr/bin/newuidmap and /usr/bin/newgidmap to make this work.
See https://bugzilla.opensuse.org/show_bug.cgi?id=1048645 Greetings, Björn TGM_Mailsignatur_Vorl -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Since some weeks my LXC guests do not start anymore on Tumbleweed.
After some debugging I found this possible cause:
$ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority INFO $ grep ERROR libvirt.log lxc-start 20170803204255.404 ERROR lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping. lxc-start 20170803204255.451 ERROR lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "ubuntu-xenial". lxc-start 20170803204255.994 ERROR lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start. lxc-start 20170803204255.994 ERROR lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
Some comments (like here https://github.com/anbox/anbox/issues/201#issuecomment-297907694) suggest to setup /etc/subuid and /etc/subgid correctly.
But what is the correct content? Could someone give me an example /etc/subuid and /etc/subgid file?
(On my TW installation both files do not exist. On another PC with Leap 42.2 I have both files, but /etc/subuid and /etc/subgid was somehow filled with the three users and groups, which I recently created with useradd and groupadd.) It works now without a configuration change. Self-healing effect? No, I was wrong. Setuid bit is necessary for /usr/bin/newuidmap and /usr/bin/newgidmap to make this work.
Yes, they need setuid bits in order to operate (you need root to be able to map more than one user in a user namespace). I believe the reason for not making them setuid originally was that Docker only requires the /etc/sub{uid,gid} files to exist, and when we first requested a shadow-utils update the security team decided that not making them setuid would be a better move until someone requested that they be made setuid. In any case if you want to add setuid binaries to the system, you need to request an audit from the security team. I've added Marcus Meisner to Cc. -- Aleksa Sarai Software Engineer (Containers) SUSE Linux GmbH https://www.cyphar.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Aleksa Sarai -
Bjoern Voigt