LXC User Mapping Permission Problem

W

wgallt

New Member
Apr 18, 2022
8
1
3
I've previously created eight lxc containers with user mapping and two bind mounts. Today I created another container using the same method as the others and I'm having an issue with a user's home directory after applying the user mapping. Here are the steps I use to create the container:

On LXC container:
I run the following commands:​
Code: 
useradd -u 1105 media
groupmod -g 1105 media
mkhomedir_helper media

The user media will be mapped to a media user on the PVE host. I check the permissions of the created home directory and it looks fine:​
Code: 
drwxr-xr-x  4 media media 4.0K Apr 18 00:36 media
I shutdown the container and edit the PVE host.

On PVE host:
Edit the subuid and subgid:​
Code: 
root:1105:1
root:100000:65536

Add these lines to the LXC .conf file:​
Code: 
mp0: /mnt/bindmounts/shared/Downloads,mp=/mnt/Downloads
mp1: /mnt/bindmounts/drobo/Media,mp=/mnt/Media
lxc.idmap: u 0 100000 1105
lxc.idmap: g 0 100000 1105
lxc.idmap: u 1105 1105 1
lxc.idmap: g 1105 1105 1
lxc.idmap: u 1106 101106 64430
lxc.idmap: g 1106 101106 64430

Now when I start the container the home directory of media changes permissions to this:
Code: 
drwxr-xr-x  4 nobody nogroup 4.0K Apr 17 23:28 media
I can't chown or modify these permissions with root. The only way to revert is to remove the user mapping. Can someone explain why this hasn't happened on my other containers using the same steps? Thanks in advance.
 
Hi,
wgallt said:
I've previously created eight lxc containers with user mapping and two bind mounts. Today I created another container using the same method as the others and I'm having an issue with a user's home directory after applying the user mapping. Here are the steps I use to create the container:

On LXC container:
I run the following commands:​
Code: 
useradd -u 1105 media
groupmod -g 1105 media
mkhomedir_helper media

The user media will be mapped to a media user on the PVE host. I check the permissions of the created home directory and it looks fine:​
Code: 
drwxr-xr-x  4 media media 4.0K Apr 18 00:36 media
I shutdown the container and edit the PVE host.

On PVE host:
Edit the subuid and subgid:​
Code: 
root:1105:1
root:100000:65536

Add these lines to the LXC .conf file:​
Code: 
mp0: /mnt/bindmounts/shared/Downloads,mp=/mnt/Downloads
mp1: /mnt/bindmounts/drobo/Media,mp=/mnt/Media
lxc.idmap: u 0 100000 1105
lxc.idmap: g 0 100000 1105
lxc.idmap: u 1105 1105 1
lxc.idmap: g 1105 1105 1
lxc.idmap: u 1106 101106 64430
lxc.idmap: g 1106 101106 64430

Now when I start the container the home directory of media changes permissions to this:
Code: 
drwxr-xr-x  4 nobody nogroup 4.0K Apr 17 23:28 media
Click to expand...

wgallt said:
I can't chown or modify these permissions with root. The only way to revert is to remove the user mapping. Can someone explain why this hasn't happened on my other containers using the same steps? Thanks in advance.
Click to expand...
I'd try to mount the container with pct mount <ID> and go to /var/lib/lxc/<ID>/rootfs. I guess the current owner/group of /home/media are the IDs from before the mapping, but with the mapping they don't belong to the media user anymore ;). You can change the owner/group to the mapped user's (you are running the command on the host, so there is no permission issue) and then use pct unmount <ID> and start the container with the mapping.
 
Last edited:
Thank you for your reply. I did as you suggested and for some reason the working containers show the owner by username on the host and the non-working (I've discovered a second one), are showing the uid of the user and group as owner. When I chown the directory it doesn't change:
Code: 
root@pve:/var/lib/lxc/100/rootfs/home# ls -lah
total 12K
drwxr-xr-x  3 100000 100000 4.0K Apr 17 12:19 .
drwxr-xr-x 18 100000 100000 4.0K Apr 21 08:56 ..
drwxr-xr-x  4 101105 101105 4.0K Apr 21 08:33 media
root@pve:/var/lib/lxc/100/rootfs/home# chown -R  media:media /var/lib/lxc/100/rootfs/media
root@pve:/var/lib/lxc/100/rootfs/home# ls -lah
total 12K
drwxr-xr-x  3 100000 100000 4.0K Apr 17 12:19 .
drwxr-xr-x 18 100000 100000 4.0K Apr 21 08:56 ..
drwxr-xr-x  4 101105 101105 4.0K Apr 21 08:33 media

The 101105 uid should be the user mapped to 1105 which is the uid of local user media. This is the permissions of one of the working containers:
Code: 
root@pve:/var/lib/lxc/114/rootfs/home# ls -lah
total 12K
drwxr-xr-x  3 100000 100000 4.0K Jan  9 13:04 .
drwxr-xr-x 18 100000 100000 4.0K Apr 21 09:05 ..
drwxr-xr-x  2 media  media  4.0K Jan  9 13:04 media

And the local uid and gid assignment on pve:
Code: 
root@pve:/# id media
uid=1105(media) gid=1105(media) groups=1105(media)

For some reason the mapping assignments aren't applying the same way between the working and non-working containers even though the .conf files for them are identical.
 
I tried your suggestion a different way and chown the pct mount to root:root first then media:media and it took correctly. Thank you!
 
You must log in or register to reply here.
Top Bottom