[SOLVED] LXC Container bind mount: map all uid/gid to a single uid/gid on the host

McChaos

Member
Mar 13, 2019
14
2
23
Hello,

I have trouble to access a bind mount from inside the container and Im unsure, how to solve it. The container is created unprivileged and contains a Ubuntu 18.04.
Each file that is created inside the container, should have uid=1197 and gid=1000 on the host.

I created two bind mounts for a the container 197:
Code:
mp0: /sclass_temp/svn,mp=/data/svn,mountoptions=nodev;noexec
mp1: /sclass_temp/test,mp=/data/test

And I can see it inside:
Code:
# ls -lan /data/
total 10
drwxr-xr-x  4     0     0  4 Feb  5 18:31 .
drwxr-xr-x 22     0     0 22 Feb  5 18:52 ..
drwxr-xr-x  2 65534 65534  2 Feb  5 18:07 svn
drwxr-xr-x  2 65534 65534  2 Feb  5 18:07 test

I created a new group "datauser" inside the container and on the host with gid 1000.
but now I'm lost, no idea what to do next..

Maybe anybody can direct me in the correct direction?

Thanks in advance!
Thomas
 
You should read this - https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

By default, a container's uids/gids are mapped to the host's uids/gids starting at 100000. So a container's uid of 0 (root) would map to the host's uid of 100000. And a container's uid of 1 would map to the host's uid 100001. And so on....

You have two options:

Options 1:
Change the mount's uid/gid on the host to the correlated mappings in the container. In your case uid 1197 in the container maps to 101197 on the host and a gid of 1000 in the container maps to 101000 on the host.

Option 2:
Change the way the container's uids/gids are mapped by adding lxc.idmap to the container's config. See example in the link.

In your case, the config for the container would look something like this.

lxc.idmap = u 0 100000 1197
lxc.idmap = g 0 100000 1000

lxc.idmap = u 1197 1197 1
lxc.idmap = g 1000 1000 1

lxc.idmap = u 1198 101006 64338
lxc.idmap = g 1001 101006 64535

Then in the file /etc/subuid on the host add:
root:1197:1

And in the file /etc/subgid on the host add:
root:1000:1

Restart container.
 
Thank you.
Is it possible to map all uid inside the container to a single uid on the host?
 
No I don't think so. But you can map your host group to the container group and then in the container add all the users to the group to grant them access.
 
Still no luck ;-(

I onlyset the group id translation and keep the userid...

on Host:
Code:
main:~# ls -lan /sclass_temp/
total 19
drwxr-xr-x  5 0    0  5 Feb  5 19:07 .
drwxr-xr-x 20 0    0 26 Jan  3 22:51 ..
drwxrwsr-x  2 0 1000  2 Feb  5 19:07 svn
drwxrwsr-x  2 0 1000  4 Feb  6 16:16 test

In container (as root):
Code:
# ls -lan /data/test/
total 2
drwxrwsr-x 2 65534 1000 4 Feb  6 15:16 .
drwxr-xr-x 4     0    0 4 Feb  5 18:31 ..
-rw-r--r-- 1 65534 1000 0 Feb  6 15:15 test.txt
-rw-r--r-- 1 65534 1000 0 Feb  6 15:16 test1.txt

# touch /data/test/test2.txt
touch: cannot touch '/data/test/test2.txt': Permission denied

/etc/subgid
root:1000:1
root:100000:65536

/etc/subuid
root:100000:65536

/etc/pve/lxc/197.conf
lxc.idmap: u 0 100000 65535
lxc.idmap: g 0 100000 1000
lxc.idmap: g 1000 1000 1
lxc.idmap: g 1001 101001 64534
 
Tested now also with the complete configuration as mentioned above by @MapleEscape22 , same result.
Code:
# ls -lan /data
total 10
drwxr-xr-x  4     0    0  4 Feb  5 18:31 .
drwxr-xr-x 22     0    0 22 Feb  6 18:39 ..
drwxrwsr-x  2 65534 1000  2 Feb  5 18:07 svn
drwxrwsr-x  2 65534 1000  4 Feb  6 15:16 test
# ls -lan /data/test/
total 2
drwxrwsr-x 2 65534 1000 4 Feb  6 15:16 .
drwxr-xr-x 4     0    0 4 Feb  5 18:31 ..
-rw-r--r-- 1 65534 1000 0 Feb  6 15:15 test.txt
-rw-r--r-- 1 65534 1000 0 Feb  6 15:16 test1.txt
# touch /data/test/test2.txt
touch: cannot touch '/data/test/test2.txt': Permission denied
#
 
In your container did you create your group with a gid of 1000? When you do a "ls -la" in your container, you should see the group name you created not 1000. And you also need to add your user to the group created in the container.

Also your group permissions only has "read" for test.txt and test1.txt So you wouldn't be able to touch it even if your user is in the group.

If that doesn't work, then I'm out of ideas.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!