Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incus does not respect /etc/sub*id #289127

Closed
FlyingWombat opened this issue Feb 15, 2024 · 6 comments
Closed

Incus does not respect /etc/sub*id #289127

FlyingWombat opened this issue Feb 15, 2024 · 6 comments
Labels
0.kind: bug Something is broken

Comments

@FlyingWombat
Copy link
Contributor

FlyingWombat commented Feb 15, 2024
edited
Loading

Describe the bug

Incus does not respect subuid/subgid mappings set in /etc/sub*id.

Steps To Reproduce

Steps to reproduce the behavior:

  1. If you already have incus installed, run sudo mv /var/lib/incus /var/lib/incus.bk
  2. nixos config
  users.users.root.subGidRanges = lib.mkForce [
    { count = 65536; startGid = 2000000; }
  ];
  users.users.root.subUidRanges = lib.mkForce [
    { count = 65536; startUid = 2000000; }
  ];
  virtualisation.incus.enable = true;
  virtualisation.lxc.defaultConfig = ''
    lxc.idmap = u 0 2000000 65536
    lxc.idmap = g 0 2000000 65536
  '';
  1. check that /etc/sub*id is set correctly with cat /etc/sub{gid,uid}
  2. run sudo incus admin init --minimal
  3. run sudo incus launch images:archlinux/current/amd64 test
  4. run sudo incus config show test
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'

Notice how Hostid and Maprange are wrong.

Expected behavior

volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":2000000,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":2000000,"Nsid":0,"Maprange":65536}]'

Additional context

My incus installation in Archlinux generates idmap correctly.
If the same is done with LXD, the idmap is generated correctly.

Incus docs /userns-idmap.md:40

If none of those files can be found, then Incus will assume a 1000000000
UID/GID range starting at a base UID/GID of 1000000.

BTW, docs for users.users.<name>.autoSubUidGidRange is misleading. It says "Default: false". This should read "Default: config.isNormalUser && config.subUidRanges == [] && config.subGidRanges == []"

Notify maintainers

@aanderse
@adamcstephens
@jnsgruk
@megheaiulian
@mkg20001

Metadata

  • system: "x86_64-linux"
  • host os: Linux 6.7.4, NixOS, 24.05 (Uakari), 24.05.20240212.aff1ac0
  • multi-user?: yes
  • sandbox: yes
  • version: nix-env (Nix) 2.18.1
  • channels(root): "nixos"
  • nixpkgs: /run/current-system/nixpkgs commit d934204

Add a 👍 reaction to issues you find important.
@FlyingWombat FlyingWombat added the 0.kind: bug Something is broken label Feb 15, 2024
@adamcstephens
Copy link
Contributor

I wonder if this is related to lxc/incus#575 . I haven't had a chance to troubleshoot myself, but would like to get it resolved.

@adamcstephens
Copy link
Contributor

I noticed errors around newuidmap missing, which could be related to this issue. Added in #307218

@adamcstephens
Copy link
Contributor

Well I can confirm #307218 does in fact improve Incus's handling of the id ranges. Since it caused my containers to fail to start as I was missing a range I had manually added to instances.

@adamcstephens
Copy link
Contributor

@FlyingWombat if you're able to confirm it fixes your described issue, I'd appreciate it.

@FlyingWombat
Copy link
Contributor Author

@adamcstephens With the changes in the linked pull request, Incus seems to be working as expected.

@adamcstephens
Copy link
Contributor

Thank you for testing!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
0.kind: bug Something is broken
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamcstephens @FlyingWombat