当root的subuid和subgid信息发生更改时，无法启动LXD容器

Question

我是LXD的新手，遇到了一个问题，我试图为容器的根用户构建一个子gid和子gid映射，以便当根用户写入目录/megalith时，它将是主机用户的UID/GID (1000:1000)，而不是165536:65536的uid/gid。我正在尝试遵循下面列出的说明：

http://insights.ubuntu.com/2016/12/08/mounting-your-home-directory-in-lxd/

但是当我尝试启动容器时，我收到了下面列出的错误。但是，如果我将根subuid和subgid条目返回到root:165536:65536，一切都开始正常工作，除了当我写入/megalith时，UID和GID显然是165536:65536。

为了使root、subuid和subgid映射正常工作，我还需要做什么吗?文档中可能没有这些内容，或者我可能缺少这些内容？

cliff@reventon /megalith $ id
uid=1000(cliff) gid=1000(cliff) groups=1000(cliff),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),130(sambashare),132(lxd)

cliff@reventon /megalith $ cat /etc/subuid
cliff:100000:65536
lxd:165536:65536
root:1000:1

cliff@reventon /megalith $ cat /etc/subgid
cliff:100000:65536
lxd:165536:65536
root:1000:1

cliff@reventon /megalith $ lxc init ubuntu-daily:z zestytest
Creating zestytest

cliff@reventon /megalith $ lxc config set zestytest raw.idmap 'both 1000 1000'

cliff@reventon /megalith $ lxc config device add zestytest megalith disk source=/megalith path=/megalith
Device megalith added to zestytest

cliff@reventon /megalith $ lxc start zestytest
error: Error calling 'lxd forkstart zestytest /var/lib/lxd/containers /var/log/lxd/zestytest/lxc.conf': err='exit status 1'
  lxc 20170112215311.265 ERROR lxc_start - start.c:lxc_spawn:1163 - Failed to set up id mapping.
  lxc 20170112215311.303 ERROR lxc_start - start.c:__lxc_start:1338 - Failed to spawn container "zestytest".
  lxc 20170112215311.855 ERROR lxc_conf - conf.c:run_buffer:347 - Script exited with status 1
  lxc 20170112215311.855 ERROR lxc_start - start.c:lxc_fini:546 - Failed to run lxc.hook.post-stop for container "zestytest".
  lxc 20170112215311.858 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.858 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/systemd//lxc/zestytest
  lxc 20170112215311.861 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.861 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/cpuset//lxc/zestytest
  lxc 20170112215311.864 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.864 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/hugetlb//lxc/zestytest
  lxc 20170112215311.867 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.867 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/cpu//lxc/zestytest
  lxc 20170112215311.869 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.869 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/pids//lxc/zestytest
  lxc 20170112215311.872 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.872 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/perf_event//lxc/zestytest
  lxc 20170112215311.875 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.875 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/freezer//lxc/zestytest
  lxc 20170112215311.878 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.878 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/memory//lxc/zestytest
  lxc 20170112215311.881 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.881 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/net_cls//lxc/zestytest
  lxc 20170112215311.884 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.884 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/devices//lxc/zestytest
  lxc 20170112215311.886 ERROR lxc_conf - conf.c:userns_exec_1:4374 - Error setting up child mappings
  lxc 20170112215311.886 ERROR lxc_cgfsng - cgroups/cgfsng.c:recursive_destroy:1274 - Error destroying /sys/fs/cgroup/blkio//lxc/zestytest

Try `lxc info --show-log zestytest` for more info

Answer 1

如果我将根subuid和subgid条目返回到根目录，则返回

：165536:65536

您需要165536:65536和1000:1范围。

前者用于保存容器内使用的大部分uid/gid，后者用于映射您的uid/gid以保持容器内的内容不变。

Answer 2

不太确定这是否解决了你的问题：https://github.com/lxc/lxc/issues/1622

该线程的要点是，将主机uid和/或主机gid映射到容器根uid和/或gid是不安全的。如果要执行所描述的操作，则应映射到默认容器用户，或创建一个新的容器用户并使用该容器用户运行命令。然后，您可以将主机uid/gid映射到该容器uid/gid。