Howto setup /etc/subuid and /etc/subgid?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Howto setup /etc/subuid and /etc/subgid?

Bjoern Voigt
Since some weeks my LXC guests do not start anymore on Tumbleweed.

After some debugging I found this possible cause:

$ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority INFO
$ grep ERROR libvirt.log
      lxc-start 20170803204255.404 ERROR    lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping.
      lxc-start 20170803204255.451 ERROR    lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "ubuntu-xenial".
      lxc-start 20170803204255.994 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
      lxc-start 20170803204255.994 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.

Some comments (like here
https://github.com/anbox/anbox/issues/201#issuecomment-297907694)
suggest to setup /etc/subuid and /etc/subgid correctly.

But what is the correct content? Could someone give me an example
/etc/subuid and /etc/subgid file?

(On my TW installation both files do not exist. On another PC with Leap
42.2 I have both files, but /etc/subuid and /etc/subgid was somehow
filled with the three users and groups, which I recently created with
useradd and groupadd.)

Greetings,
Björn
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Howto setup /etc/subuid and /etc/subgid?

Bjoern Voigt
Bjoern Voigt wrote:

> Since some weeks my LXC guests do not start anymore on Tumbleweed.
>
> After some debugging I found this possible cause:
>
> $ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority INFO
> $ grep ERROR libvirt.log
>       lxc-start 20170803204255.404 ERROR    lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping.
>       lxc-start 20170803204255.451 ERROR    lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "ubuntu-xenial".
>       lxc-start 20170803204255.994 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
>       lxc-start 20170803204255.994 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
>
> Some comments (like here
> https://github.com/anbox/anbox/issues/201#issuecomment-297907694)
> suggest to setup /etc/subuid and /etc/subgid correctly.
>
> But what is the correct content? Could someone give me an example
> /etc/subuid and /etc/subgid file?
>
> (On my TW installation both files do not exist. On another PC with Leap
> 42.2 I have both files, but /etc/subuid and /etc/subgid was somehow
> filled with the three users and groups, which I recently created with
> useradd and groupadd.)
Simply adding mapping for root in /etc/subuid and /etc/subgid does not
help. The errors are the same like above.

mybox:~ # cat /etc/subuid
root:100000:65536
mybox:~ # cat /etc/subgid
root:100000:65536

Greetings,
Björn

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Howto setup /etc/subuid and /etc/subgid?

Bjoern Voigt
In reply to this post by Bjoern Voigt
Bjoern Voigt wrote:

> Since some weeks my LXC guests do not start anymore on Tumbleweed.
>
> After some debugging I found this possible cause:
>
> $ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority INFO
> $ grep ERROR libvirt.log
>       lxc-start 20170803204255.404 ERROR    lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping.
>       lxc-start 20170803204255.451 ERROR    lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "ubuntu-xenial".
>       lxc-start 20170803204255.994 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
>       lxc-start 20170803204255.994 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
>
> Some comments (like here
> https://github.com/anbox/anbox/issues/201#issuecomment-297907694)
> suggest to setup /etc/subuid and /etc/subgid correctly.
>
> But what is the correct content? Could someone give me an example
> /etc/subuid and /etc/subgid file?
>
> (On my TW installation both files do not exist. On another PC with Leap
> 42.2 I have both files, but /etc/subuid and /etc/subgid was somehow
> filled with the three users and groups, which I recently created with
> useradd and groupadd.)
It works now without a configuration change. Self-healing effect?

Greetings,
Björn
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Howto setup /etc/subuid and /etc/subgid?

Bjoern Voigt
Bjoern Voigt wrote:

> Bjoern Voigt wrote:
>> Since some weeks my LXC guests do not start anymore on Tumbleweed.
>>
>> After some debugging I found this possible cause:
>>
>> $ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority INFO
>> $ grep ERROR libvirt.log
>>       lxc-start 20170803204255.404 ERROR    lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping.
>>       lxc-start 20170803204255.451 ERROR    lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "ubuntu-xenial".
>>       lxc-start 20170803204255.994 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
>>       lxc-start 20170803204255.994 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
>>
>> Some comments (like here
>> https://github.com/anbox/anbox/issues/201#issuecomment-297907694)
>> suggest to setup /etc/subuid and /etc/subgid correctly.
>>
>> But what is the correct content? Could someone give me an example
>> /etc/subuid and /etc/subgid file?
>>
>> (On my TW installation both files do not exist. On another PC with Leap
>> 42.2 I have both files, but /etc/subuid and /etc/subgid was somehow
>> filled with the three users and groups, which I recently created with
>> useradd and groupadd.)
> It works now without a configuration change. Self-healing effect?
No, I was wrong. Setuid bit is necessary for /usr/bin/newuidmap and
/usr/bin/newgidmap to make this work.

See https://bugzilla.opensuse.org/show_bug.cgi?id=1048645

Greetings,
Björn
TGM_Mailsignatur_Vorl
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Howto setup /etc/subuid and /etc/subgid?

Aleksa Sarai
>>> Since some weeks my LXC guests do not start anymore on Tumbleweed.
>>>
>>> After some debugging I found this possible cause:
>>>
>>> $ lxc-start -n ubuntu-xenial --foreground --logfile libvirt.log --logpriority INFO
>>> $ grep ERROR libvirt.log
>>>        lxc-start 20170803204255.404 ERROR    lxc_start - start.c:lxc_spawn:1182 - Failed to set up id mapping.
>>>        lxc-start 20170803204255.451 ERROR    lxc_start - start.c:__lxc_start:1354 - Failed to spawn container "ubuntu-xenial".
>>>        lxc-start 20170803204255.994 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
>>>        lxc-start 20170803204255.994 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.
>>>
>>> Some comments (like here
>>> https://github.com/anbox/anbox/issues/201#issuecomment-297907694)
>>> suggest to setup /etc/subuid and /etc/subgid correctly.
>>>
>>> But what is the correct content? Could someone give me an example
>>> /etc/subuid and /etc/subgid file?
>>>
>>> (On my TW installation both files do not exist. On another PC with Leap
>>> 42.2 I have both files, but /etc/subuid and /etc/subgid was somehow
>>> filled with the three users and groups, which I recently created with
>>> useradd and groupadd.)
>> It works now without a configuration change. Self-healing effect?
> No, I was wrong. Setuid bit is necessary for /usr/bin/newuidmap and
> /usr/bin/newgidmap to make this work.
>
> See https://bugzilla.opensuse.org/show_bug.cgi?id=1048645

Yes, they need setuid bits in order to operate (you need root to be able
to map more than one user in a user namespace). I believe the reason for
not making them setuid originally was that Docker only requires the
/etc/sub{uid,gid} files to exist, and when we first requested a
shadow-utils update the security team decided that not making them
setuid would be a better move until someone requested that they be made
setuid.

In any case if you want to add setuid binaries to the system, you need
to request an audit from the security team. I've added Marcus Meisner to Cc.

--
Aleksa Sarai
Software Engineer (Containers)
SUSE Linux GmbH
https://www.cyphar.com/
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]