Adding LXC id mapping reverses ownership of all user-owned files within the container
by poisonborz from LinuxQuestions.org on (#5DWM2)
I'm using LXC within proxmox.
I'd have some bind mounts I'd like to share between a number of LXC containers. Also like many, I stumbled upon the problem of conflicting UIDs. I'm trying to set up mapping, but however much I read, I seem to have some major misunderstanding. Whenever I add mapping, any folder owned by the mapped user (eg home directory) will get suddenly owned by 65534/nobody". How is this possible? I thought maps only have an effect on the host/outside the container? (as in files in bind mounts)
I'm trying to use mapping like this (generated by a python util)
Code:lxc.idmap: u 0 100000 999
lxc.idmap: g 0 100000 999
lxc.idmap: u 999 999 1
lxc.idmap: g 999 999 1
lxc.idmap: u 1000 101000 4000
lxc.idmap: g 1000 101000 4000
lxc.idmap: u 5000 5000 1
lxc.idmap: g 5000 5000 1
lxc.idmap: u 5001 105001 60536
lxc.idmap: g 5001 105001 60536And alternatively this, as seen in many wikis
Code:lxc.idmap = u 0 100000 999
lxc.idmap = g 0 100000 999
lxc.idmap = u 999 5000 1
lxc.idmap = g 999 5000 1
lxc.idmap = u 5000 101000 64536
lxc.idmap = g 5000 101000 64536Both with the same effect.
On the host /etc/sub{u,g}id:
Code:root:100000:65536
root:999:1 root:5000:1As an alternative, would it be feasible/recommended to set an ACL for the shared folders within each container, and set the masks to rw-rw-rw? This way the different owner id-s would be irrelevant.
I'd have some bind mounts I'd like to share between a number of LXC containers. Also like many, I stumbled upon the problem of conflicting UIDs. I'm trying to set up mapping, but however much I read, I seem to have some major misunderstanding. Whenever I add mapping, any folder owned by the mapped user (eg home directory) will get suddenly owned by 65534/nobody". How is this possible? I thought maps only have an effect on the host/outside the container? (as in files in bind mounts)
I'm trying to use mapping like this (generated by a python util)
Code:lxc.idmap: u 0 100000 999
lxc.idmap: g 0 100000 999
lxc.idmap: u 999 999 1
lxc.idmap: g 999 999 1
lxc.idmap: u 1000 101000 4000
lxc.idmap: g 1000 101000 4000
lxc.idmap: u 5000 5000 1
lxc.idmap: g 5000 5000 1
lxc.idmap: u 5001 105001 60536
lxc.idmap: g 5001 105001 60536And alternatively this, as seen in many wikis
Code:lxc.idmap = u 0 100000 999
lxc.idmap = g 0 100000 999
lxc.idmap = u 999 5000 1
lxc.idmap = g 999 5000 1
lxc.idmap = u 5000 101000 64536
lxc.idmap = g 5000 101000 64536Both with the same effect.
On the host /etc/sub{u,g}id:
Code:root:100000:65536
root:999:1 root:5000:1As an alternative, would it be feasible/recommended to set an ACL for the shared folders within each container, and set the masks to rw-rw-rw? This way the different owner id-s would be irrelevant.