Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 615298 - sys-apps/shadow-4.4-r2 newgidmap newuidmap need the setuid bit set so LXC unprivileged containers can work
Summary: sys-apps/shadow-4.4-r2 newgidmap newuidmap need the setuid bit set so LXC unp...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
URL: https://github.com/lxc/lxc/issues/1454
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-11 18:10 UTC by Plero H
Modified: 2020-06-23 16:16 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Plero H 2017-04-11 18:10:53 UTC
shadow package does not set setuid bit on newgidmap newuidmap, so lxc unprivileged containers cannot start. According to lxc this is a distro/package issue.



Reproducible: Always

Steps to Reproduce:
1. create an unprivileged lxc container
2. update/remerge shadow ebuild
3. start the container
Actual Results:  
lxc container cannot start

Expected Results:  
lxc container should start

Check the problem and the solution here:

https://github.com/lxc/lxc/issues/1454

Maybe an additional useflag is needed in shadow ebuild so we can setuid those binaries.
Comment 1 Rick Harris 2017-07-15 23:48:40 UTC
Confirmed, same problem here.

I'm currently working around the problem by disabling the use of shadow's newgidmap newuidmap by passing EXTRA_ECONF="--enable-subordinate-ids=no" to sys-apps/shadow during ./configure as LXC's implementation is somewhat flaky in my use case.

This has the end of result of LXC correctly setting up the UID/GID mapping directly itself instead of trying (and failing) to use shadow's newgidmap newuidmap.
Comment 2 Plero H 2017-07-17 22:58:27 UTC
(In reply to Rick Harris from comment #1)
> Confirmed, same problem here.
> 
> I'm currently working around the problem by disabling the use of shadow's
> newgidmap newuidmap by passing EXTRA_ECONF="--enable-subordinate-ids=no" to
> sys-apps/shadow during ./configure as LXC's implementation is somewhat flaky
> in my use case.
> 
> This has the end of result of LXC correctly setting up the UID/GID mapping
> directly itself instead of trying (and failing) to use shadow's newgidmap
> newuidmap.

Nice, can you attach a patch? How do you do it?