LXD/LXC gid mapping

Question

I have a directory on disk that is owned by share with gid of 1001. I want to add that directory as a device on one of the lxc containers, and have that group to carry over.

I have tried using raw.idmap 'gid 1001 1001' but the lxc container won't start if a add this.

Thanks

the way to do the raw.idmap part of this question is made more concrete here https://superuser.com/questions/1174344/syntax-for-setting-lxd-container-raw-idmap — Jonathan Hartley, May 24 '19 at 18:38

score 3 · Answer 1 · answered Dec 06 '17 at 00:51

There are three parts needed to make the mapping work.

raw.idmap set (which you've already done)
the container has an existing gid to map to
the shadow file allows the id mapping

You're trying to map the host-gid 1001 (share) to a container-gid. In this case you've chosen that the container-gid will be 1001 as well.

You've accomplished #1 above, you've setup the mapping.

Accomplishing #2 just requires you to create a group with gid 1001 inside the container. In theory this could actually be any gid for the new group and you'd just have to modify the raw.idmap command to set the destination gid to match the one defined in the container.

For #3 above, you need to check /etc/subgid to make sure you're allowed to map host-gid 1001 to container-gid 1001.
When you look at /etc/subgid you should see some lines that looks something like the following, though the first number on each line may be different:

lxd:100000:65536
root:100000:65536

This is the default configuration and says that lxd can use gids with a range starting at 100000, which produces containers that have a hidden offset relative to the host gids of 100000 (or whatever the first number in the line is). If you create a file in a mounted directory from within the container, the gid visible from the host would be that offset + the container gid.
To allow lxd to use gid 1001, and therefore allow it to map host gid 1001 to container gid 1001 (or any container gid), you need to add the permissions to your /etc/subgid file. You can do this by adding a line like this to the end of the file:

lxd:1001:1
root:1001:1

If you have a number of different gids you want the host to allow lxd to map when you use the raw.idmap option, you can specify them as "

lxd:start-id-to-expose:count-of-ids-to-expose
root:start-id-to-expose:count-of-ids-to-expose

with non-contiguous ranges being listed on additional lines in the file.
Make sure you always add both an lxd and root line whenever you need to add new lines since lxd documentation says they must be kept in sync for most uses.

score 1 · Answer 2 · answered Aug 17 '17 at 08:11

what you are telling with that line is to map the host user with the id 1001 to the container user with id 1001, which means that you should make sure that you have a user with id 1001 inside the container or map it to a different user (the first user of a container usually has id 1000).

score 0 · Answer 3 · answered Jul 18 '22 at 22:37

0

In recent versions of LXD, this can also be obtained through the shift option of lxc config device add ... which uses shiftfs or idmapped mounts. Note that this has some security implications if the shared folder is on a mountpoint allowing suid.

answered Jul 18 '22 at 22:37

Luca Citi

1,310
9
9

LXD/LXC gid mapping

3 Answers3