newuidmap: write to uid_map failed: Operation not permitted

[lpvm]

When trying to create the fifth container I get this error:

 ~> lxc-create -t download -n m1
newuidmap: write to uid_map failed: Operation not permitted
error mapping child
setgid: Invalid argument
lxc-create: lxccontainer.c: do_create_container_dir: 985 Failed to chown container dir
lxc-create: tools/lxc_create.c: main: 318 Error creating container m1

There was no change in the lxc containers directory:

# ls -ld lxc_containers/
drwxr-xr-x 7 lxc root 4096 mar  6 16:36 lxc_containers/

 # ll -d */
drwxrwx--- 3 100000 lxc 4096 mar  3 19:19 hino/
drwxrwx--- 2 lxc    lxc 4096 mar  6 16:36 m1/
drwxrwx--- 3 100000 lxc 4096 mar  1 15:52 mld/
drwxrwx--- 4 100000 lxc 4096 mar  3 16:08 text/
drwxrwx--- 3 100000 lxc 4096 mar  3 16:08 znc/


# ls -ld lxc_containers/*/
drwxrwx--- 3 **100000** lxc 4096 mar  3 19:19 lxc_containers/hino/
drwxrwx--- 2 **lxc**    lxc 4096 mar  6 16:36 lxc_containers/m1/
drwxrwx--- 3 **100000** lxc 4096 mar  1 15:52 lxc_containers/mld/
drwxrwx--- 4 **100000** lxc 4096 mar  3 16:08 lxc_containers/text/
drwxrwx--- 3 **100000** lxc 4096 mar  3 16:08 lxc_containers/znc/

As can be seen, for the old containers, owner is user 100000, but for m1 new container it's lxc, although lxc mapping begins at 100000.

 # grep lxc /etc/subuid
**lxc**:**100000**:65536

 # grep lxc /etc/subgid
lxc:100000:65536

What should I do?

[stgraber]

What's in ~/.config/lxc/default.conf?

[brauner]

What is striking is that this occurred after 5 container creations. Afaik, there is an arbitrary limit on the number of lines in the {uid,gid}_map files; it's 5. Another option is that we somehow don't write at the beginning of the file which also causes EINVAL.

[stgraber]

@brauner he's using a single map for all containers though so that doesn't matter.

[brauner]

Right, the second option is ruled out (sort of) by the fact that newuidmap is used and not our own custom function.

[lpvm]

As requested:

 ~> grep -v '^#' .config/lxc/default.conf | grep -v '^$'
lxc.arch = x86_64
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:16:3e:xx:xx:xx
lxc.network.ipv4 = 192.168.3.0/24
lxc.network.ipv4.gateway = 192.168.3.254
lxc.mount.auto = cgroup
lxc.cgroup.cpuset.cpus = 5,6,7
lxc.id_map = u 0 100000 65536
lxc.id_map = g 0 100000 65536
lxc.start.auto = 1

Tried to destroy one container to "make room" for the creation of another, but also got an error:

~> lxc-destroy -n znc
newuidmap: write to uid_map failed: Operation not permitted
lxc-destroy: conf.c: userns_exec_1: 4453 Error setting up child mappings
lxc-destroy: lxccontainer.c: container_destroy: 2395 Error destroying rootfs for znc
Destroying znc failed

The contents of /etc/subuid:

~> cat /etc/subuid
lxc:100000:65536
mpd:165536:65536
ircuser:231072:65536
mysql:296608:65536
mlocate:362144:65536
toxbootstrapd:427680:65536

Modified /etc/subuid to

 # cat subuid
lxc:100000:65536

Did something similar to /etc/subgid, but the problem hasn't gone away.

Some more info:

# find /sys/fs/cgroup -maxdepth 2 -name lxc -type d
/sys/fs/cgroup/freezer/lxc
/sys/fs/cgroup/memory/lxc

[hallyn]

Does lxc-start of the existing containers work fine?

Is there anything interesting in syslog?

Exactly which version of lxc is this? And has your uidmap package recently updated? Your kernel?

Does 'lxc-usernsexec' still work for you?

[lpvm]

I was using 4.10.1_1 when this error occurred and restarted with 4.9.13_1. I'm not sure if containers were working with the former version, but they were working with the latter. Not anymore. Not possible do lxc-start any of them.
The log of one of the attempts. It shows another ERROR:

 lxc-start 20170307144515.184 ERROR    lxc_conf - conf.c:ttys_shift_ids:3613 - Failed to chown /dev/pts/4
      lxc-start 20170307144515.184 ERROR    lxc_start - start.c:lxc_init:471 - Failed to shift tty into container.
      lxc-start 20170307144515.184 ERROR    lxc_start - start.c:__lxc_start:1302 - Failed to initialize container "znc".
      lxc-start 20170307144520.190 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
      lxc-start 20170307144520.190 ERROR    lxc_start_ui - tools/lxc_start.c:main:368 - To get more details, run the container in foreground mode.
      lxc-start 20170307144520.190 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.

Didn't find anything relevant in syslog/messages/dmesg...

Regarding lxc packages, I have these installed:

# xbps-query -l  | grep lxc
ii liblxc-2.0.7_1                         Linux Containers - shared library
ii lxc-2.0.7_1                            Linux Containers - utilities
ii lxcfs-2.0.6_1                          LXC simple userspace filesystem

All these packages were updated in January the 24th, and containers were running two days ago.

libuuid-2.24.2_3 was updated in February, the 27th. The workstation was rebooted afterwards, so I'd exclude this factor as well.

In /etc/sudoers, there's
lxc ALL=(ALL) /usr/bin/cgm, /usr/bin/mkdir, /usr/bin/chown
It was working before with this line.

~> lxc-usernsexec 
newuidmap: write to uid_map failed: Operation not permitted
error mapping child
setgid: Invalid argument

[lpvm]

Some more info.

$ cgm movepid all $USER $$
gives an error:
call to cgmanager_move_pid_main_sync failed: invalid request

~> lxc-start -n znc -F -l trace -o debug.out

The contents of debug.out

  lxc-start 20170308153554.376 INFO     lxc_start_ui - tools/lxc_start.c:main:275 - using rcfile /lxc_containers/znc/config
      lxc-start 20170308153554.376 WARN     lxc_confile - confile.c:config_pivotdir:1910 - lxc.pivotdir is ignored.  It will soon become an error.
      lxc-start 20170308153554.376 INFO     lxc_confile - confile.c:config_idmap:1531 - read uid map: type u nsid 0 hostid 100000 range 65536
      lxc-start 20170308153554.376 INFO     lxc_confile - confile.c:config_idmap:1531 - read uid map: type g nsid 0 hostid 100000 range 65536
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .reject_force_umount  # comment this to allow umount -f;  not recommended.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for reject_force_umount action 0.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for reject_force_umount action 0.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:do_resolve_add_rule:251 - Setting Seccomp rule to reject force umounts.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .[all].
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .kexec_load errno 1.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for kexec_load action 327681.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for kexec_load action 327681.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .open_by_handle_at errno 1.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for open_by_handle_at action 327681.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for open_by_handle_at action 327681.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .init_module errno 1.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for init_module action 327681.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for init_module action 327681.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .finit_module errno 1.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for finit_module action 327681.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for finit_module action 327681.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:402 - processing: .delete_module errno 1.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:567 - Adding native rule for delete_module action 327681.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:570 - Adding compat rule for delete_module action 327681.
      lxc-start 20170308153554.377 INFO     lxc_seccomp - seccomp.c:parse_config_v2:580 - Merging in the compat Seccomp ctx into the main one.
      lxc-start 20170308153554.377 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20170308153554.377 DEBUG    lxc_start - start.c:setup_signal_fd:273 - Set SIGCHLD handler with file descriptor: 5.
      lxc-start 20170308153554.377 DEBUG    console - console.c:lxc_console_peer_default:430 - opening /dev/tty for console peer
      lxc-start 20170308153554.377 DEBUG    console - console.c:lxc_console_peer_default:436 - using '/dev/tty' as console
      lxc-start 20170308153554.377 DEBUG    console - console.c:lxc_console_sigwinch_init:144 - 12896 got SIGWINCH fd 9
      lxc-start 20170308153554.377 DEBUG    console - console.c:lxc_console_winsz:71 - set winsz dstfd:6 cols:100 rows:40
      lxc-start 20170308153554.396 ERROR    lxc_conf - conf.c:ttys_shift_ids:3613 - Failed to chown /dev/pts/4
      lxc-start 20170308153554.396 ERROR    lxc_start - start.c:lxc_init:471 - Failed to shift tty into container.
      lxc-start 20170308153554.396 WARN     lxc_monitor - monitor.c:lxc_monitor_fifo_send:111 - Failed to open fifo to send message: No such file or directory.
      lxc-start 20170308153554.396 ERROR    lxc_start - start.c:__lxc_start:1302 - Failed to initialize container "znc".
      lxc-start 20170308153554.396 ERROR    lxc_start_ui - tools/lxc_start.c:main:366 - The container failed to start.
      lxc-start 20170308153554.396 ERROR    lxc_start_ui - tools/lxc_start.c:main:370 - Additional information can be obtained by setting the --logfile and --logpriority options.

[lpvm]

Just to understand this a bit more, the problem is that the software fails to change the owner of the newly created directory from lxc to subuid 100000?

So, I'll get no other help on this?

I've worked with FreeBSD's jails before (and still now) and never had a glitch. Looks like lxc containers need some polishing.

[brauner]

Can you please run strace on lxc-usernsexec as root but with the -u option set to your user (So that setuid works correctly with newuidmap under strace.). So:

sudo bash -i
strace -o strace.out -f -u "${USER}" lxc-usernsexec

and attach or copy the contents of strace.out.

[lpvm]

Hi brauner, thanks for the help. By "your user" do you mean my lxc user? If so these were the steps:

$ ssh lxc@localhost
$ sudo bash -i
# echo ${USER}
root
# strace -o strace.out -f -u "${USER}" lxc-usernsexec
setgid: Invalid argument

Also tried it starting from an ordinary user (myself) and the output is the same.

[brauner]

Yeah, I meant your user on the host you're trying to start containers with. Hm, I'm getting suspicious. Can you show the output of sudo unshare -U, please?

[lpvm]

It outputs nothing, just modifies the prompt.

$ sudo unshare -U
$ 

[brauner]

That should mean it works: id -u should show you an invalid uid like 65534.

[brauner]

What system are you on (distro, kernel version etc.)?

[hallyn]

Please show the contents of /etc/subuid and /etc/subgid.

The fact that 'lxc-usernsexec' fails on setgid is odd.

[hallyn]

Also what does /proc/self/setgroups show?

[brauner]

Also, what are the permissions on newuidmap?

[lpvm]

$ id -u   
65534

Distro: Void Linux

$ uname -a
kernel: Linux leao 4.10.2_1 #1 SMP PREEMPT Sun Mar 12 15:26:34 UTC 2017 x86_64 GNU/Linux

$ cat /etc/subuid
lxc:100000:65536
mpd:165536:65536
ircuser:231072:65536
mysql:296608:65536
mlocate:362144:65536
toxbootstrapd:427680:65536

$ cat /etc/subgid
lxc:100000:65536
mpd:165536:65536
ircuser:231072:65536
mysql:296608:65536
mlocate:362144:65536
toxbootstrapd:427680:65536

$ cat /proc/self/setgroups 
allow

$ ls -l /usr/bin/newuidmap 
-rwxr-xr-x 1 root root 33096 fev 26 18:54 /usr/bin/newuidmap

[brauner]

newuidmap is not setuid that would explain the failures you're seeing. Which version of shadow are you using. I've seen an issue with shadow 4.4 before. (@hallyn)

[lpvm]

I'm using shadow-4.4_1.
It was updated from 4.2.1 in March, 4th, so it explains why lxc containers were running before and not anymore...

[brauner]

@lpvm, can you try setting chmod 4755 /usr/bin/newuidmap and try again?

[lpvm]

Doesn't work yet.

 # ls -l /usr/bin/newuidmap 
-rwsr-xr-x 1 root root 33096 fev 26 18:54 /usr/bin/newuidmap

Exited the shell, ssh again, cgm movepid ..., but:

~> lxc-create -t download -n m3
newgidmap: write to gid_map failed: Operation not permitted
error mapping child
setgid: Invalid argument
lxc-create: lxccontainer.c: do_create_container_dir: 985 Failed to chown container dir
lxc-create: tools/lxc_create.c: main: 318 Error creating container m3

[brauner]

Do the same for /usr/bin/newgidmap as for /usr/bin/newuidmap and try again, please.

[lpvm]

Works! Finally! Thank you for all your help!

So, this was a problem of the shadow utility?

[brauner]

I think so, yes. newuidmap and newgidmap require the setuid bit set. I'm not sure if this is purely the distros responsibility to take care of this or if there's something upstream has to do as well.

[brauner]

Can be closed, I assume. :)

[Hethsron]

Hi! May I have your help please?

When trying to create unprivileged container lxc I get this error:

lxc-create -t ubuntu -n ubuntu9
lxc-create: ubuntu9: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open tt
lxc-create: ubuntu9: tools/lxc_create.c: main: 327 Failed to create container ubuntu9

The configuration file contains the following informations :

GNU nano 3.2 /home/hethsron/.config/lxc/default.conf Modifié

lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

lxc.net.0.type = veth
lxc.net.0.link = lxcbr0
lxc.net.0.flags = up
lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx

lxc.mount.auto = proc:mixed sys:ro cgroup:mixed

/var/lib/lxc/ = ~/.local/share/lxc
/var/cache/lxc = ~/.cache/lxc

[Hethsron]

I tried everything according the documentation i found online (linuxcontainers.org) but i didn't succeed

[hallyn]

On Fri, Dec 28, 2018 at 12:17:50AM -0800, Hethsron wrote: Hi! May I have your help please? When trying to create unprivileged container lxc I get this error: lxc-create -t ubuntu -n ubuntu9

Since you're running this unprivileged, can you try with the download template? lxc-create -t download -n ubuntu9 -- -d ubuntu -r bionic -a amd64

…

lxc-create: ubuntu9: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open tt lxc-create: ubuntu9: tools/lxc_create.c: main: 327 Failed to create container ubuntu9 The configuration file contains the following informations : GNU nano 3.2 /home/hethsron/.config/lxc/default.conf Modifié lxc.idmap = u 0 100000 65536 lxc.idmap = g 0 100000 65536 lxc.net.0.type = veth lxc.net.0.link = lxcbr0 lxc.net.0.flags = up lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx lxc.mount.auto = proc:mixed sys:ro cgroup:mixed /var/lib/lxc/ = ~/.local/share/lxc /var/cache/lxc = ~/.cache/lxc -- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: #1454 (comment)

[stschindler]

@hallyn I get the same issue, here's more info:

/etc/subuid

stsch:100000:65536

/etc/subgid

stsch:100000:65536

/etc/lxc/default.conf

lxc.net.0.type = empty
lxc.idmap = u 0 100000 65536
lxc.idmap = g 0 100000 65536

~/.config/lxc/default.conf

lxc.include = /etc/lxc/default.conf

Since I'm on Arch Linux, kernel.unprivileged_userns_clone (sysctl) is 1, and /etc/pam.d/system-login contains the extra line session optional pam_cgfs.so -c freezer,memory,name=systemd,unified.

Here's what I get:

 % lxc-create -t download -n ubuntu9 -- -d ubuntu -r bionic -a amd64

lxc-create: ubuntu9: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt
lxc-create: ubuntu9: tools/lxc_create.c: main: 327 Failed to create container ubuntu9

The binaries are all available:

% which lxc-usernsexec newuidmap newgidmap 
/usr/bin/lxc-usernsexec
/usr/bin/newuidmap
/usr/bin/newgidmap

When I replace stsch by root in the sub* files, I can create containers as root without problems.

[stschindler]

...and here's the output of the alternate log file with -l DEBUG:

lxc-create test 20190123075259.343 INFO     confile - confile.c:set_config_idmaps:1673 - Read uid map: type u nsid 0 hostid 100000 range 65536
lxc-create test 20190123075259.343 INFO     confile - confile.c:set_config_idmaps:1673 - Read uid map: type g nsid 0 hostid 100000 range 65536
lxc-create test 20190123075259.343 DEBUG    conf - conf.c:chown_mapped_root:3219 - trying to chown "/home/stsch/.local/share/lxc/test" to 1000
lxc-create test 20190123075259.413 ERROR    conf - conf.c:chown_mapped_root:3279 - lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt
lxc-create test 20190123075259.414 ERROR    lxc_create - tools/lxc_create.c:main:327 - Failed to create container test

[stschindler]

I added some debug output to conf.c, before the command is run. It shows that LXC tries to run the following command:

lxc-usernsexec -m u:0:100000:1 -m u:1000:1000:1 -m g:0:100000:1 -m g:1000:1000:1 -- chown 0:1000 /home/stsch/.local/share/lxc/test

When run manually, the output is:

chown: cannot access '/home/stsch/.local/share/lxc/test': Permission denied

I'm not experienced enough with the whole process so I have no idea what's happening.

[simevo]

same here on debian buster; the id ranges are different

grep paolog /etc/sub?id
/etc/subgid:paolog:755360:65536
/etc/subuid:paolog:755360:65536

cat /home/paolog/.config/lxc/default.conf 
lxc.include = /etc/lxc/default.conf
lxc.idmap = u 0 755360 65536
lxc.idmap = g 0 755360 65536

cat /etc/lxc/default.conf
lxc.net.0.type = veth
lxc.net.0.link = br0
lxc.net.0.flags = up

sudo brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.0026b944a9c0       no              eth1

lxc-create -n debian9_64 -t debian -- -a amd64 -r stretchlxc-create: debian9_64: conf.c: chown_mapped_root: 3226 lxc-usernsexec failed: No such file or directory - Failed to open tt
lxc-create: debian9_64: tools/lxc_create.c: main: 327 Failed to create container debian9_64
...

I instrumented conf.c like this:

git diff src/lxc/conf.c 
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index d95bc4c..4a7e001 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3214,14 +3214,19 @@ int chown_mapped_root(const char *path, struct lxc_conf *conf)
                return -1;
        }
 
-       if (hostgid == sb.st_gid)
+       if (hostgid == sb.st_gid) {
+        for (const char **p= args1; *p!= NULL; ++p)
+            printf("%s\n", *p);
                ret = run_command(cmd_output, sizeof(cmd_output),
                                  chown_mapped_root_exec_wrapper,
                                  (void *)args1);
-       else
+    } else {
+        for (const char **p= args2; *p!= NULL; ++p)
+            printf("%s\n", *p);
                ret = run_command(cmd_output, sizeof(cmd_output),
                                  chown_mapped_root_exec_wrapper,
                                  (void *)args2);
+    }
        if (ret < 0)
                ERROR("lxc-usernsexec failed: %s", cmd_output);

the command it tries here is:

lxc-usernsexec -m u:0:755360:1 -m u:1000:1000:1 -m g:0:755360:1 -m g:1000:1000:1 -- chown 0:1000 /home/paolog/.local/share/lxc/debian9_64

on executing that I get:

lxc-usernsexec -m u:0:755360:1 -m u:1000:1000:1 -m g:0:755360:1 -m g:1000:1000:1 -- chown 0:1000 /home/paolog/.local/share/lxc/debian9_64
Operation not permitted - Failed to unshare mount and user namespaceNo such file or directory - Failed to read from pipe file descriptor 3lxc 20190128141012.950 ERROR    conf - conf.c:lxc_map_ids:2999 - newuidmap failed to write mapping "newuidmap: write to uid_map failed: Operation not permitted": newuidmap 17766 0 755360 1 1000 1000 1
Failed to write id mapping for child process

[gavenkoa]

I described Vagrantfile at #2764 to reproduce openat(3, "uid_map", O_WRONLY) = -1 EACCES (Permission denied)

[dlannan-fmad]

Has anyone solved this? Im still seeing this problem on debian buster.

 % lxc-create -t download -n ubuntu9 -- -d ubuntu -r bionic -a amd64

lxc-create: ubuntu9: conf.c: chown_mapped_root: 3279 lxc-usernsexec failed: No such file or directory - Failed to open ttyNo such file or directory - Failed to open tt
lxc-create: ubuntu9: tools/lxc_create.c: main: 327 Failed to create container ubuntu9

I have checked so many suggestions. Reinstalled lxc multiple times, and many other methods. The documentation on lxc website seems like it is missing something with user id setups?

It looks like it might be related to this:
#3121

[softbrada]

For me what @brauner said here worked #1454 (comment)
But instead of 4755 i used 5755 on /usr/bin/newgidmap