[SOLVED] LXC Container bind mount: map all uid/gid to a single uid/gid on the host

McChaos

Member
Mar 13, 2019
12
2
8
Hello,

I have trouble to access a bind mount from inside the container and Im unsure, how to solve it. The container is created unprivileged and contains a Ubuntu 18.04.
Each file that is created inside the container, should have uid=1197 and gid=1000 on the host.

I created two bind mounts for a the container 197:
Code:
mp0: /sclass_temp/svn,mp=/data/svn,mountoptions=nodev;noexec
mp1: /sclass_temp/test,mp=/data/test

And I can see it inside:
Code:
# ls -lan /data/
total 10
drwxr-xr-x  4     0     0  4 Feb  5 18:31 .
drwxr-xr-x 22     0     0 22 Feb  5 18:52 ..
drwxr-xr-x  2 65534 65534  2 Feb  5 18:07 svn
drwxr-xr-x  2 65534 65534  2 Feb  5 18:07 test

I created a new group "datauser" inside the container and on the host with gid 1000.
but now I'm lost, no idea what to do next..

Maybe anybody can direct me in the correct direction?

Thanks in advance!
Thomas
 

MapleEscape22

New Member
Feb 6, 2020
3
0
1
42
You should read this - https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

By default, a container's uids/gids are mapped to the host's uids/gids starting at 100000. So a container's uid of 0 (root) would map to the host's uid of 100000. And a container's uid of 1 would map to the host's uid 100001. And so on....

You have two options:

Options 1:
Change the mount's uid/gid on the host to the correlated mappings in the container. In your case uid 1197 in the container maps to 101197 on the host and a gid of 1000 in the container maps to 101000 on the host.

Option 2:
Change the way the container's uids/gids are mapped by adding lxc.idmap to the container's config. See example in the link.

In your case, the config for the container would look something like this.

lxc.idmap = u 0 100000 1197
lxc.idmap = g 0 100000 1000

lxc.idmap = u 1197 1197 1
lxc.idmap = g 1000 1000 1

lxc.idmap = u 1198 101006 64338
lxc.idmap = g 1001 101006 64535

Then in the file /etc/subuid on the host add:
root:1197:1

And in the file /etc/subgid on the host add:
root:1000:1

Restart container.
 

McChaos

Member
Mar 13, 2019
12
2
8
Thank you.
Is it possible to map all uid inside the container to a single uid on the host?
 

MapleEscape22

New Member
Feb 6, 2020
3
0
1
42
No I don't think so. But you can map your host group to the container group and then in the container add all the users to the group to grant them access.
 

McChaos

Member
Mar 13, 2019
12
2
8
Still no luck ;-(

I onlyset the group id translation and keep the userid...

on Host:
Code:
main:~# ls -lan /sclass_temp/
total 19
drwxr-xr-x  5 0    0  5 Feb  5 19:07 .
drwxr-xr-x 20 0    0 26 Jan  3 22:51 ..
drwxrwsr-x  2 0 1000  2 Feb  5 19:07 svn
drwxrwsr-x  2 0 1000  4 Feb  6 16:16 test

In container (as root):
Code:
# ls -lan /data/test/
total 2
drwxrwsr-x 2 65534 1000 4 Feb  6 15:16 .
drwxr-xr-x 4     0    0 4 Feb  5 18:31 ..
-rw-r--r-- 1 65534 1000 0 Feb  6 15:15 test.txt
-rw-r--r-- 1 65534 1000 0 Feb  6 15:16 test1.txt

# touch /data/test/test2.txt
touch: cannot touch '/data/test/test2.txt': Permission denied

/etc/subgid
root:1000:1
root:100000:65536

/etc/subuid
root:100000:65536

/etc/pve/lxc/197.conf
lxc.idmap: u 0 100000 65535
lxc.idmap: g 0 100000 1000
lxc.idmap: g 1000 1000 1
lxc.idmap: g 1001 101001 64534
 

McChaos

Member
Mar 13, 2019
12
2
8
Tested now also with the complete configuration as mentioned above by @MapleEscape22 , same result.
Code:
# ls -lan /data
total 10
drwxr-xr-x  4     0    0  4 Feb  5 18:31 .
drwxr-xr-x 22     0    0 22 Feb  6 18:39 ..
drwxrwsr-x  2 65534 1000  2 Feb  5 18:07 svn
drwxrwsr-x  2 65534 1000  4 Feb  6 15:16 test
# ls -lan /data/test/
total 2
drwxrwsr-x 2 65534 1000 4 Feb  6 15:16 .
drwxr-xr-x 4     0    0 4 Feb  5 18:31 ..
-rw-r--r-- 1 65534 1000 0 Feb  6 15:15 test.txt
-rw-r--r-- 1 65534 1000 0 Feb  6 15:16 test1.txt
# touch /data/test/test2.txt
touch: cannot touch '/data/test/test2.txt': Permission denied
#
 

MapleEscape22

New Member
Feb 6, 2020
3
0
1
42
In your container did you create your group with a gid of 1000? When you do a "ls -la" in your container, you should see the group name you created not 1000. And you also need to add your user to the group created in the container.

Also your group permissions only has "read" for test.txt and test1.txt So you wouldn't be able to touch it even if your user is in the group.

If that doesn't work, then I'm out of ideas.
 
Last edited:

McChaos

Member
Mar 13, 2019
12
2
8
ok, solved. I have to add root to the datauser group as well :rolleyes:

Thank you very much!
 

vpnobrega

New Member
Jan 17, 2021
16
3
3
34
ok, solved. I have to add root to the datauser group as well :rolleyes:

Thank you very much!
To solve this, you had create a new user, a new group and add root to new group right? This steps are only inside container? Thanks
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!