incus icon indicating copy to clipboard operation
incus copied to clipboard
verified publisher icon lxc

Strange behavior of idmapping for unprivileged isolated containers

Open foxtrotcz opened this issue 1 year ago • 0 comments

I discovered two strange behaviors of Incus when setting subgid/subuid files and creating isolated containers.

1) First When using Incus 6.0.1 from Debian Bookworm backports or Incus 6.0.2 from Debian Trixie. Also happened when I tried self-compiling. Clean install, all settings default. In this case Incus needs 1 more ID range than necessary.

Example and how to replicate: We want to create 2 isolated containers and set subgid/subuid at minimum range needed. By default Incus starts isolated containers at 65536 position and uses range 65536 for each. That means 3*65536 = 196608 should be enough. We set subgid/subuid: root:1000000:196608

This should allow us to use host IDs: 1 000 000 ........ 1 196 607

Incus should then map IDs of isolated containers like this:

  1. container 0 ............... 1 065 536 65 535 .... 1 131 071
  2. container 0 ............... 1 131 072 65 535 .... 1 196 607

But this doesnt work and Incus complains that for 2. container there is not enough gid/uid available. Error: Failed instance creation: Failed creating instance record: Failed initializing instance: Not enough uid/gid available for the container This error comes from here: https://github.com/lxc/incus/blob/dc287b62d8b33bfd573ff60c9db02a7d5aea7754/internal/server/instance/drivers/driver_lxc.go#L631

To get around this you need to set subgid/subuid range one ID larger: root:1000000:196609

Seems like maybe small bug.

2) Second When using Incus 6.0.2 or Incus Daily build from Zabbly repo on Debian Bookworm. Clean install, all settings default. This is much simpler. In this case Incus never complains about uid/gid even if I set small range and use more isolated containers than should be possible.

Example and how to replicate: We set subgid/subuid: root:1000000:80000 This shouldnt be enough even for one isolated container.

If you try creating any number of isolated containers it works even when it shouldnt. When checking /run/incus/container/lxc.conf you can see isolated containers mapped out of range. When trying unisolated container it's range is set as 1 000 000 000. So it looks like Incus dosnt see the setting of subgid/subuid and uses it's default ranges as described here: https://linuxcontainers.org/incus/docs/main/userns-idmap/

foxtrotcz avatar Oct 06 '24 19:10 foxtrotcz