again about the lxc permission

G

garzzz

New Member
Oct 8, 2024
7
1
3
Hi, i've tried to properly setup the right permissions for a couple of days but even by looking at the docs and the forum i can't figure out how to do so.

I have a zpool, let's say
Code: 
zpool-12tb/media/
wich is owned by
Code: 
mediaU:mediaUsers
.
Code: 
groupadd -g 1005 mediaUsers
useradd mediaU -u 1005 -g 1005 -m -s /bin/bash
chown -R mediaU:mediaUsers /zpool-12tb/media

Now, my goal is to share this folder with multiple lxc container, for istance jellyfin and qbittorrent.
I've used in the past this guide, but it can't solve the permissions when two containers use different users because it avoids the mapping by creating an user on the host that matches the user on the lxc+100'000. Since jellyfin uses user 110 and qbittorrent uses root, i can't have both lxc sharing the same folder.

Now, the doc says that i have to add these lines in the lxc config:
Code: 
# uid map: from uid 0 map 1005 uids (in the ct) to the range starting 100000 (on the host), so 0..1004 (ct) → 100000..101004 (host)
lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
# we map 1 uid starting from uid 1005 onto 1005, so 1005 → 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
# we map the rest of 65535 from 1006 upto 101006, so 1006..65535 → 101006..165535
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530

Should i change, for jellyfin, 1005 with 110 for the user and 1005 with 118 for the group?
And how about qbittorrent? How can i map the lxc root with the 1005 host?

I'm quite lost, and having both 1005 on host and guest makes it harder to understand which is which (imho).
 
I've tried to test something like that for jellyfin:
Code: 
lxc.idmap = u 0 100000 110
lxc.idmap = g 0 100000 118
lxc.idmap = u 110 1005 1
lxc.idmap = g 118 1005 1
lxc.idmap = u 111 100111 65425
lxc.idmap = g 119 100119 65417

and by changing on the host:
in /etc/subuid add root:110:1
in /etc/subgid add root:118:1

Well, the container won't even start, it gives this error:
Code: 
lxc_map_ids: 245 newuidmap failed to write mapping "newuidmap: uid range [110-111) -> [1005-1006) not allowed": newuidmap 3321273 0 100000 110 110 1005 1 111 100111 65425
lxc_spawn: 1795 Failed to set up id mapping.
startup for container '120' failed

I don't get what this means...

ps: i've noticed that when i try to start the lxc the 120.conf file changes. the "=" after the lxc.idmap are changed in ":".
Is this normal???
 
Last edited:
garzzz said:
Well, the container won't even start, it gives this error:
Code: 
lxc_map_ids: 245 newuidmap failed to write mapping "newuidmap: uid range [110-111) -> [1005-1006) not allowed": newuidmap 3321273 0 100000 110 110 1005 1 111 100111 65425
lxc_spawn: 1795 Failed to set up id mapping.
startup for container '120' failed

I don't get what this means...
Click to expand...
You did not allow root to map the host user 1005. Make sure that root:1005:1 is present in /etc/subuid and /etc/ subgid.
garzzz said:
ps: i've noticed that when i try to start the lxc the 120.conf file changes. the "=" after the lxc.idmap are changed in ":".
Is this normal???
Click to expand...
Lines in the container configuration file should use :. I did not know Proxmox fixes that for you automatically.
 
leesteken said:
Lines in the container configuration file should use :. I did not know Proxmox fixes that for you automatically.
Click to expand...
Well, then the docs should be changed, it's creating another doubt in an already confused user.

leesteken said:
You did not allow root to map the host user 1005. Make sure that root:1005:1 is present in /etc/subuid and /etc/ subgid.
Click to expand...

We are talking about the files in the host, right?
This makes me wander: how can the host identify which lxc is related to 1005?
From the docs i guessed that this lines must be added on the host, but now i'm not sure.
 
garzzz said:
Well, then the docs should be changed, it's creating another doubt in an already confused user.
Click to expand...
Not something I can do, sorry.
garzzz said:
We are talking about the files in the host, right?
Click to expand...
Yes
garzzz said:
This makes me wander: how can the host identify which lxc is related to 1005?
Click to expand...
It cannot. You just allow the root user (of the host) to map container users to 1005 (for any container if it contains a user or group id mapping).
garzzz said:
From the docs i guessed that this lines must be added on the host, but now i'm not sure.
Click to expand...
Yes, /etc/subuid and /etc/subgid are on the host. I don't know who designed this or why.
 
You must log in or register to reply here.
Top Bottom