Lxc u/gid mapping (unprivileged passthrough + mount)

[tuxx]

Hello,

I'm currently trying the following:

1. creating zfs mirror and directory in proxmox, using it as backup and filesharing locally
2. debian lxc (unprivileged) with cockpit as my samba server. Here the the mirror and directory from 1. should be mounted
3. Jellyfin Lxc (unprivileged). Sub folder of a directory of 1. is mounted.
4. Jellyfin Lxc (unprivileged) iPGU passthrough for hardware transcoding

Whats currently working is: I'm able to access the proxmox zfs mirror and separate directory which I created on the debian samba lxc (thanks to this). The subfolder I created on the samba directory share is also visible in Jellyfin.
Point 4 doesn't work yet. Here I'm currently struggling with the uid/gid mapping.

For example: To access the local proxmox ZFS/directory, I have to map

lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
lxc.idmap = u 1006 101006 64530
lxc.idmap = g 1006 101006 64530

To get the transcoding working I may also need some similar mapping to:

lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 62
lxc.idmap: g 107 104 1
lxc.idmap: g 108 100108 65428

Here the following mappings seem to overlap and I'm not sure how to handle it:

Mount
lxc.idmap = u 0 100000 1005
lxc.idmap = g 0 100000 1005

GPU
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44

Can everyone point me into the right direction?
The ID mapper didn't help and articles explain it to some degree, but I couldn't find anything about overlapping mappings.

Bonusquestion:
lxc.idmap = u 1005 1005 1
lxc.idmap = g 1005 1005 1
This seems like a one to one mapping. How can I find out what uid/gui 1005 is?
I'm planning in the future to also have a nextcloud lxc with the ZFS mount and I want to make it as secure as possible. I read somewhere that one to one mappings should not necessarily be made, to avoid security problems. I assume it only refers to "0", the root user?

 

[tuxx]

I managed to get it running and understood the mapping a bit better now.

Disclaimer: There can be some mistakes. I'm writing this currently with my understanding. Here I manged to get the Iris Xe passthrough to an unprivileged Jellyfin Lxc running, as well as mount an zfs share from Proxmox in the Jellyfin container, which is also mounted on my samba Lxc.

First, for mapping, it is important to understand that the whole range of 65536 should be mapped. We start with 0 and end with 65536. This applies to UID and GID.
If we want to map 44 and 108, we have to fill the mappings before, in between and after.
For example:

Mapping 44 and 108 UID

lxc.idmap = u 0 100000 44        #map LXC uid 0 to host uid 100000 for 44 mappings (up tp 100043)
lxc.idmap = u 44 44 1            #map LXC uid 44 to host uid 44 for one mapping (up to 44)
lxc.idmap = u 45 100045 63        #map 45 to 100045 for 63 mappings (up to 100107)
lxc.idmap = u 108 104 1            #map 108 to 104 for 1 (up to 104)
lxc.idmap = u 109 100109 65427    #map remaining numbers to fill up the whole range to 65536

I hope that helps with the understanding.

The mapping for my first post would be:

mount point mapping of zfs directory
lxc.idmap: u 0 100000 1005
lxc.idmap: g 0 100000 1005
lxc.idmap: u 1005 1005 1
lxc.idmap: g 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 1006 101006 64530

iGPU passthrough mapping
lxc.idmap: u 0 100000 65536
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 62
lxc.idmap: g 107 104 1
lxc.idmap: g 108 100108 65428

RESULT (sorted u/gid):
lxc.idmap: u 0 100000 1005
lxc.idmap: u 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 0 100000 44
lxc.idmap: g 44 44 1
lxc.idmap: g 45 100045 62
lxc.idmap: g 107 104 1
lxc.idmap: g 108 100108 897
lxc.idmap: g 1005 1005 1
lxc.idmap: g 1006 101006 64530