Do idmaps for bind mounts in multiple unprivileged containers require separate users?

[bertieb]

Hi folks,

I have been using the unprivileged containers wiki guide to bind mount a directory for containerA (uid+guid 1000), which works grand.

When I tried to do a similar thing for a separate mount point for containerB (also uid+gid 1000), things went awry.

Using the same idmap lxc config, it messed up ownership on that container- files and directories show up as being owned by 65523. To get the thing that I wanted to access the mount point to work, I had to create another user (uid+gid 1001) and change the config for containerB to match that.

Question: is this expected behaviour?

I think it is, due to what fiona said in another thread:

I think by creating the mapping, the user will have the new ID from the containers perspective, so the files that belonged previously to that user won't have a matching ID anymore

However I don't know enough specifics about the underlying tech (lxc) and how it works to achieve isolation / security, beyond the simplified hand-wave of "uids+gids from an unprivileged guest container are mapped to higher-numbers on the host".

Follow up question: if it isn't expected behaviour, how would one have multiple unprivileged containers with the same uid+gid accessing their respective bind mounts? if it is expected behaviour, is it worth documenting on the wiki page (linked above) with a little note to the effect of something like:

Multiple unprivileged CTs with bind mounts

Please note that if you wish to have multiple unprivileged lxc CTs accessing mount points on the host, the CTs will require differing uids+gids, with the required changes for each CT to /etc/subuid and /etc/subgid on the host.

Cheers!

PS: I haven't included configs, logs, or outputs here to illustrate the issue but I am happy to if needed