Do idmaps for bind mounts in multiple unprivileged containers require separate users?


Jul 1, 2020
Hi folks,

I have been using the unprivileged containers wiki guide to bind mount a directory for containerA (uid+guid 1000), which works grand.

When I tried to do a similar thing for a separate mount point for containerB (also uid+gid 1000), things went awry.

Using the same idmap lxc config, it messed up ownership on that container- files and directories show up as being owned by 65523. To get the thing that I wanted to access the mount point to work, I had to create another user (uid+gid 1001) and change the config for containerB to match that.

Question: is this expected behaviour?

I think it is, due to what fiona said in another thread:

I think by creating the mapping, the user will have the new ID from the containers perspective, so the files that belonged previously to that user won't have a matching ID anymore

However I don't know enough specifics about the underlying tech (lxc) and how it works to achieve isolation / security, beyond the simplified hand-wave of "uids+gids from an unprivileged guest container are mapped to higher-numbers on the host".

Follow up question: if it isn't expected behaviour, how would one have multiple unprivileged containers with the same uid+gid accessing their respective bind mounts? if it is expected behaviour, is it worth documenting on the wiki page (linked above) with a little note to the effect of something like:

Multiple unprivileged CTs with bind mounts

Please note that if you wish to have multiple unprivileged lxc CTs accessing mount points on the host, the CTs will require differing uids+gids, with the required changes for each CT to /etc/subuid and /etc/subgid on the host.


PS: I haven't included configs, logs, or outputs here to illustrate the issue but I am happy to if needed :)


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!