Hi all,
Little bit stumped at the moment trying to idmap multiple groups to an unprivileged Debian 12 LXC container on PVE 8.2.4. I'm tryig to get both Intel iGPU passthrough and r/w permissions on a bind mounted directory. Thus, I need access to host gid 104 (the GPU renderD128 group on the host) and uid/gid 1005 (the user/group that owns the bind mounted directories on the host). When I make the required changes to the LXC's
Here's what I'm adding to my lxc.conf:
As I understand it, line 1 maps uids 0-1004 in the container to 100000-101004 on the host.
Line 2 maps uid 1005 in the container to 1005 on the host.
Line 3 maps uids 1006-65536 in the container to 101006 165536 on the host.
Line 4 maps gids 0-103 in the container to 100000-100103 on the host.
Line 5 maps gid 104 in the container to 104 on the host.
Line 6 maps gids 105-1004 in the container to 100105-101004 on the host.
Line 7 maps gid 1005 in the container to 1005 on the host.
Line 8 maps gids 1006-65536 in the container to 101006-165536 on the host.
Here's my `/etc/subuid` file on the host:
And `/etc/subgid`:
What am I missing here? I should note that I have multiple other LXCs idmapping uid/gid 1005 already, and a Jellyfin LXC idmapping 104. But when trying to idmap both uid/gid 1005 and gid 104 into a single LXC, login and ssh are seemingly broken in that LXC.
Also, I know about the 'new' approach of passing through hardware to LXCs:
But if I understand correctly, this renders the hardware unusable by the host or other LXCs, which I want to avoid since the iGPU should be shared with another LXC.
Any help would be greatly appreciated!
Little bit stumped at the moment trying to idmap multiple groups to an unprivileged Debian 12 LXC container on PVE 8.2.4. I'm tryig to get both Intel iGPU passthrough and r/w permissions on a bind mounted directory. Thus, I need access to host gid 104 (the GPU renderD128 group on the host) and uid/gid 1005 (the user/group that owns the bind mounted directories on the host). When I make the required changes to the LXC's
/etc/pve/<lxc_id>.conf file, the LXC starts without errors but my usual login credentials for the LXC don't work and I can't ssh in. When I remove the lines, I can login and ssh in to the LXC again.Here's what I'm adding to my lxc.conf:
Code:
lxc.idmap: u 0 100000 1005
lxc.idmap: u 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 0 100000 104
lxc.idmap: g 104 104 1
lxc.idmap: g 105 100105 900
lxc.idmap: g 1005 1005 1
lxc.idmap: g 1006 101006 64530As I understand it, line 1 maps uids 0-1004 in the container to 100000-101004 on the host.
Line 2 maps uid 1005 in the container to 1005 on the host.
Line 3 maps uids 1006-65536 in the container to 101006 165536 on the host.
Line 4 maps gids 0-103 in the container to 100000-100103 on the host.
Line 5 maps gid 104 in the container to 104 on the host.
Line 6 maps gids 105-1004 in the container to 100105-101004 on the host.
Line 7 maps gid 1005 in the container to 1005 on the host.
Line 8 maps gids 1006-65536 in the container to 101006-165536 on the host.
Here's my `/etc/subuid` file on the host:
Code:
root:100000:65536
storage-user:165536:65536
root:1005:1And `/etc/subgid`:
Code:
root:100000:65536
storage-user:165536:65536
root:1005:1
root:104:1What am I missing here? I should note that I have multiple other LXCs idmapping uid/gid 1005 already, and a Jellyfin LXC idmapping 104. But when trying to idmap both uid/gid 1005 and gid 104 into a single LXC, login and ssh are seemingly broken in that LXC.
Also, I know about the 'new' approach of passing through hardware to LXCs:
dev0: /dev/dri/renderD128,gid=104,uid=0But if I understand correctly, this renders the hardware unusable by the host or other LXCs, which I want to avoid since the iGPU should be shared with another LXC.
Any help would be greatly appreciated!
Last edited:
This only works in unprivileged containers, and obviously there's no point in doing it in a privileged container anyway!