Mailinglist Archive: opensuse-factory (649 mails)

< Previous Next >
Re: [opensuse-factory] Howto setup /etc/subuid and /etc/subgid?
Since some weeks my LXC guests do not start anymore on Tumbleweed.

After some debugging I found this possible cause:

$ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority
INFO
$ grep ERROR libvirt.log
lxc-start 20170803204255.404 ERROR lxc_start - start.c:lxc_spawn:1182
- Failed to set up id mapping.
lxc-start 20170803204255.451 ERROR lxc_start - start.c:__lxc_start:1354 -
Failed to spawn container "ubuntu-xenial".
lxc-start 20170803204255.994 ERROR lxc_start_ui -
tools/lxc_start.c:main:366 - The container failed to start.
lxc-start 20170803204255.994 ERROR lxc_start_ui -
tools/lxc_start.c:main:370 - Additional information can be obtained by setting
the --logfile and --logpriority options.

Some comments (like here
https://github.com/anbox/anbox/issues/201#issuecomment-297907694)
suggest to setup /etc/subuid and /etc/subgid correctly.

But what is the correct content? Could someone give me an example
/etc/subuid and /etc/subgid file?

(On my TW installation both files do not exist. On another PC with Leap
42.2 I have both files, but /etc/subuid and /etc/subgid was somehow
filled with the three users and groups, which I recently created with
useradd and groupadd.)
It works now without a configuration change. Self-healing effect?
No, I was wrong. Setuid bit is necessary for /usr/bin/newuidmap and
/usr/bin/newgidmap to make this work.

See https://bugzilla.opensuse.org/show_bug.cgi?id=1048645

Yes, they need setuid bits in order to operate (you need root to be able to map more than one user in a user namespace). I believe the reason for not making them setuid originally was that Docker only requires the /etc/sub{uid,gid} files to exist, and when we first requested a shadow-utils update the security team decided that not making them setuid would be a better move until someone requested that they be made setuid.

In any case if you want to add setuid binaries to the system, you need to request an audit from the security team. I've added Marcus Meisner to Cc.

--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >