Summary: | sys-apps/shadow-4.4-r2 newgidmap newuidmap need the setuid bit set so app-containers/lxc unprivileged containers can work | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Plero H <plero_hero> |
Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
Status: | RESOLVED UPSTREAM | ||
Severity: | normal | CC: | alexanderyt, juippis, ramage.lucas, sam, tsmksubc, virtualization |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/lxc/lxc/issues/1454 | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Plero H
2017-04-11 18:10:53 UTC
Confirmed, same problem here. I'm currently working around the problem by disabling the use of shadow's newgidmap newuidmap by passing EXTRA_ECONF="--enable-subordinate-ids=no" to sys-apps/shadow during ./configure as LXC's implementation is somewhat flaky in my use case. This has the end of result of LXC correctly setting up the UID/GID mapping directly itself instead of trying (and failing) to use shadow's newgidmap newuidmap. (In reply to Rick Harris from comment #1) > Confirmed, same problem here. > > I'm currently working around the problem by disabling the use of shadow's > newgidmap newuidmap by passing EXTRA_ECONF="--enable-subordinate-ids=no" to > sys-apps/shadow during ./configure as LXC's implementation is somewhat flaky > in my use case. > > This has the end of result of LXC correctly setting up the UID/GID mapping > directly itself instead of trying (and failing) to use shadow's newgidmap > newuidmap. Nice, can you attach a patch? How do you do it? CCing lxc maintainers. Not sure if this is still an issue or not? No it shouldn't be, a lot has changed how lxc handles idmap since 2017. If it is with latest lxc in the tree, please reopen and let's investigate again. |