[PVE-User] UIDs > 65535 not valid in container

Frank Thommen f.thommen at dkfz-heidelberg.de
Thu Mar 12 19:55:25 CET 2020 


On 3/12/20 6:10 PM, Daniel Berteaud wrote:
> 
> 
> ----- Le 12 Mar 20, à 16:35, Frank Thommen f.thommen at dkfz-heidelberg.de a écrit :
> 
>> Dear all,
>>
>> we have a strange issue with a CentOS 7 container running on PVE 6.1-3,
>> that UIDs > 65535 are invalid.  The container is used as a "SSH
>> jumphost" to access a special network: Users log in to the host and SSH
>> to the special network from there. sssd is running in the container. The
>> directory service is an Active Directory.
>>
>> However users with UID > 65535 cannot login:
>>
>> /var/log/secure:
>> [...]
>> Mar 12 13:48:32 XXXXXX sshd[1021]: fatal: seteuid 86544: Invalid argument
>> [...]
>>
>>
>> and chown isn't possible either:
>>
>> $ chown 65535 /home/test
>> $ chown 65536 /home/test
>> chown: changing ownership of ‘/home/test’: Invalid argument
>> $
>>
>>
>> There are no problems with such UIDs on any other systems and there is
>> no problem with users with an UID <= 65535 within the container.  I fear
>> this might be a container-related issue but I don't understand it and I
>> don't know if there is a solution or a workaround.
>>
>> Any help or hint is highly appreciated
> 
> You can work with higher UID in LXC with this :
> 
>    * Edit /etc/subuid and change the range. Eg
> 
> root:100000:4000390000
> 
>    * Do the same for /etc/subgid
>    * Edit your container config (/etc/pve/lxc/XXX.conf) and add
> 
> lxc.idmap: u 0 100000 2000200000
> lxc.idmap: g 0 100000 2000200000
> 
> That's the values I'm using for some AD members containers. Note however that native PVE restore code might refuse to work with those UID (I recall the 65535 max UID hardcoded somewhere in the restore path, but can't remember exactly where)

Unfortunately that doesn't work.  The container will not start any more 
with the following messages in the debug log (shortened):

------------------------------------------------
[...]
lxc-start 101 20200312185335.631 INFO     conf - 
conf.c:run_script_argv:372 - Executing script 
"/usr/share/lxc/hooks/lxc-pve-prestart-hook" for container "101", config 
section "lxc"
lxc-start 101 20200312185336.964 DEBUG    conf - conf.c:run_buffer:340 - 
Script exec /usr/share/lxc/hooks/lxc-pve-prestart-hook 101 lxc pre-start 
produced output: unable to detect OS distribution

lxc-start: 101: conf.c: run_buffer: 352 Script exited with status 2
lxc-start: 101: start.c: lxc_init: 897 Failed to run lxc.hook.pre-start 
for container "101"
lxc-start: 101: start.c: __lxc_start: 2032 Failed to initialize 
container "101"
Segmentation fault
------------------------------------------------

Frank

More information about the pve-user mailing list