[PVE-User] UIDs > 65535 not valid in container
Daniel Berteaud
daniel at firewall-services.com
Thu Mar 12 18:10:46 CET 2020
----- Le 12 Mar 20, à 16:35, Frank Thommen f.thommen at dkfz-heidelberg.de a écrit :
> Dear all,
>
> we have a strange issue with a CentOS 7 container running on PVE 6.1-3,
> that UIDs > 65535 are invalid. The container is used as a "SSH
> jumphost" to access a special network: Users log in to the host and SSH
> to the special network from there. sssd is running in the container. The
> directory service is an Active Directory.
>
> However users with UID > 65535 cannot login:
>
> /var/log/secure:
> [...]
> Mar 12 13:48:32 XXXXXX sshd[1021]: fatal: seteuid 86544: Invalid argument
> [...]
>
>
> and chown isn't possible either:
>
> $ chown 65535 /home/test
> $ chown 65536 /home/test
> chown: changing ownership of ‘/home/test’: Invalid argument
> $
>
>
> There are no problems with such UIDs on any other systems and there is
> no problem with users with an UID <= 65535 within the container. I fear
> this might be a container-related issue but I don't understand it and I
> don't know if there is a solution or a workaround.
>
> Any help or hint is highly appreciated
You can work with higher UID in LXC with this :
* Edit /etc/subuid and change the range. Eg
root:100000:4000390000
* Do the same for /etc/subgid
* Edit your container config (/etc/pve/lxc/XXX.conf) and add
lxc.idmap: u 0 100000 2000200000
lxc.idmap: g 0 100000 2000200000
That's the values I'm using for some AD members containers. Note however that native PVE restore code might refuse to work with those UID (I recall the 65535 max UID hardcoded somewhere in the restore path, but can't remember exactly where)
++
--
[ https://www.firewall-services.com/ ]
Daniel Berteaud
FIREWALL-SERVICES SAS, La sécurité des réseaux
Société de Services en Logiciels Libres
Tél : +33.5 56 64 15 32
Matrix: @dani:fws.fr
[ https://www.firewall-services.com/ | https://www.firewall-services.com ]
More information about the pve-user
mailing list