I recently tried running an autocalibre-web OCI image in a proxmox LXC container using the new OCI beta feature. I know it is just beta but wanted to provide some feedback.
The OCI image used s6-overlay as init. When combined with NFS bind mounts and unpriviliged container, the following issues came up:
s6-overlay shifts UIDs by 100000, so host UID 1000 becomes 101000 inside the container, breaking NFS mount ownership
s6-applyuidgid throws "unable to set supplementary group list: Operation not permitted" repeatedly because the LXC container lacks the required kernel capabilities
PUID/PGID environment variables set in the LXC config do not propagate correctly to s6-overlay on startup, causing it to reset UIDs on every reboot
Converting from unprivileged to privileged after the fact requires manually remapping the rootfs UIDs, which is complex and error-prone
OCI images using s6-overlay should keep in mind that NFS bind mounts and UID mapping may not work as expected until the beta matures, not sure if this will help at all but thought it might help with development.
I LOVE the OCI images just added and if we can get them working perfectly I think it is a huge win for Proxmox.
Keep up the amazing work.
The OCI image used s6-overlay as init. When combined with NFS bind mounts and unpriviliged container, the following issues came up:
s6-overlay shifts UIDs by 100000, so host UID 1000 becomes 101000 inside the container, breaking NFS mount ownership
s6-applyuidgid throws "unable to set supplementary group list: Operation not permitted" repeatedly because the LXC container lacks the required kernel capabilities
PUID/PGID environment variables set in the LXC config do not propagate correctly to s6-overlay on startup, causing it to reset UIDs on every reboot
Converting from unprivileged to privileged after the fact requires manually remapping the rootfs UIDs, which is complex and error-prone
OCI images using s6-overlay should keep in mind that NFS bind mounts and UID mapping may not work as expected until the beta matures, not sure if this will help at all but thought it might help with development.
I LOVE the OCI images just added and if we can get them working perfectly I think it is a huge win for Proxmox.
Keep up the amazing work.