Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incus fails on creating unprivileged containers #575

Closed
2 tasks done
curable-online opened this issue Mar 3, 2024 · 2 comments · Fixed by #634
Closed
2 tasks done

Incus fails on creating unprivileged containers #575

curable-online opened this issue Mar 3, 2024 · 2 comments · Fixed by #634
Assignees
@stgraber
Labels
Bug Confirmed to be a bug Easy Good for new contributors
Milestone
incus-0.7

Comments

@curable-online
Copy link

curable-online commented Mar 3, 2024
edited
Loading

Required information

  • Distribution: Arch
  • Distribution version: Current
  • The output of incus info: Attached:
    incus-info.txt

Issue description

The /etc/subuid and /etc/subgid files format supports both "login name" and "UID" of a user as the value of the first fields. For example:

0:1000000:1000000000
user:1001000000:1000000000

And according to subuid(5) and subgid(5) manpages, using the UID format instead of login name format is recommended:

When large number of entries (10000-100000 or more) are defined in /etc/subuid, parsing performance penalty will become noticeable. In this case it is recommended to use UIDs instead of login names. Benchmarks have shown speed-ups up to 20x.

However, incus fails to create unprivileged containers if subuid/subgid files use the UID-only format.

Steps to reproduce

  1. echo "0:1000000:1000000000" | sudo tee /etc/subuid /etc/subgid
  2. sudo systemctl restart incus.socket
    Following error is written to the daemon's log, probably in this step:
level=error msg="Unable to parse system idmap" err="No map found for user"
  1. sudo incus create images:alpine/3.19 test
    Fails with following error:
Error: Failed instance creation: Failed creating instance record: Failed initialising instance: Invalid config: No uid/gid allocation configured. In this mode, only privileged containers are supported

Note that step 3 succeeds if you replace 0 with root in step 1.

Information to attach

  • Output of sudo incus create images:alpine/3.19 test with --debug flag:
    test.txt
  • Main daemon log (at /var/log/incus/incusd.log):
    log.txt
@stgraber stgraber added Bug Confirmed to be a bug Easy Good for new contributors labels Mar 3, 2024
@stgraber stgraber added this to the incus-0.7 milestone Mar 3, 2024
@stgraber stgraber self-assigned this Mar 20, 2024
@h3xitsec
Copy link

I have the same issue on Garuda Linux (Arch based) but the /etc/subuid and /etc/subgid files on my host are using the login name format and incus still fails to create unprivileged containers

File: /etc/subgid
user:100000:65536

File: /etc/subgid
user:100000:65536

Launching kalict
Error: Failed creating instance record: Failed initialising instance: Invalid config: No uid/gid allocation configured. In this mode, only privileged containers are supported

stgraber added a commit to stgraber/incus that referenced this issue Mar 20, 2024
@stgraber
shared/idmap: Support uid/gid in subuid/subgid
e32db50 
Closes lxc#575

Signed-off-by: Stéphane Graber <[email protected]>
@stgraber stgraber mentioned this issue Mar 20, 2024
Merged
@adamcstephens adamcstephens mentioned this issue Mar 20, 2024
Closed
@UcefBenabida
Copy link

After switching from LXD to Incus on my Debian 12 system, I encountered the same error. Despite installing Incus, the issue persisted. Eventually, I resolved it by removing the LXD user configurations from /etc/subuid and /etc/subgid. To do so, I retained only the essential line in both files, assuming no additional configurations are present:

root:1000000:1000000000

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stgraber stgraber

Labels
Bug Confirmed to be a bug Easy Good for new contributors
Milestone
incus-0.7
Development

Successfully merging a pull request may close this issue.

shared/idmap: Support uid/gid in subuid/subgid stgraber/incus
4 participants
@stgraber @curable-online @h3xitsec @UcefBenabida