Is it possible to map a single uid/gid in an LXC container to many uids/gids on the host?

[Chazz]

Greetings,

Is it possible to map a single uid/gid in an LXC container to multiple uids/gids on the host? Surely it is, but I am apparently not smart enough to figure this one out.

Host:

u: 1001 g: 1001
u: 1005 g: 1006

Container:

u: 1000 g: 1000

What I want:

The container user and group (1,000 | 1,000) to map to both both host users and groups as listed above.

Container lxd id mapping

lxc.idmap: u 0 100000 1000
lxc.idmap: g 0 100000 1000
lxc.idmap: u 1000 1001 1
lxc.idmap: g 1000 1001 1
lxc.idmap: u 1000 1005 1
lxc.idmap: g 1000 1006 1
lxc.idmap: u 1001 101001 64530
lxc.idmap: g 1001 101001 64530

HOST /etc/subuid

root:100000:65536
root:1001:1
root:1005:1

Host /etc/subgid

root:100000:65536
root:1001:1
root:1006:1

What happens

My LXC fails to start: c_map_ids: 3663 newuidmap failed to write mapping "newuidmap: write to uid_map failed: Invalid argument": newuidmap 2643114 0 100000 1000 1000 1001 1 1000 1005 1 1001 101001 64530

Assistance would be most appreciated.

 

[dylanw]

Hi,

I don't believe this is possible, as acting as two users at the same time would have all kinds of strange implications. What are you trying to achieve with this configuration? Perhaps there's a better answer in another approach.

 

[Chazz]

Thank you for taking time to respond, Dylan.

I have two bind mounts, each having their own owning user and group on the host. Because the function of this LXC used both mounts, I thought a single user in the LXC could be mapped to the respective IDs required on the host for access to those directories.

I suspect an alternative is to create two users in the container and map them 1:1. That would be sufficient as well, but as a learning exercise I thought I'd chase this one into a corner... and either learn how to do it, or learn that it can't be done. Sounds like the latter.

Thanks again for your time!

 

[dylanw]

Okay, I understand why you want the ability, but yeah, the mapping needs to be 1:1 for the same reason the host system can't have a single user that operates under multiple usernames.

I suspect an alternative is to create two users in the container and map them 1:1. That would be sufficient as well, but as a learning exercise I thought I'd chase this one into a corner... and either learn how to do it, or learn that it can't be done. Sounds like the latter.

Yeah, creating two users would be a good approach here. Alternatively, you could add both users to the same group and give the group the required permissions on the mountpoints. This way you can just map one user to the container, and they'd have full access to both mount points.
Going down the rabbit hole is usually a good learning exercise!

 

[Chazz]

Okay, I understand why you want the ability, but yeah, the mapping needs to be 1:1 for the same reason the host system can't have a single user that operates under multiple usernames.


Yeah, creating two users would be a good approach here. Alternatively, you could add both users to the same group and give the group the required permissions on the mountpoints. This way you can just map one user to the container, and they'd have full access to both mount points.
Going down the rabbit hole is usually a good learning exercise!

Thanks again for your time. This makes total sense.