proxmox lxc UID/GID mapping

[AndAsh]

Proxmov v7.3-3
I have connected a host system directory to an lxc container, configured a read/write UID/GID mapping of the user in the connected directory. After starting the container, the permissions on the directory are correct, but all permissions of this user in the container have changed to nobody:nogroup.

/etc/subuid

root:100000:65536
root:1001:1

/etc/subgid

root:100000:65536
root:1001:1

/etc/pve/lxc/100.conf

arch: amd64
cores: 4
cpulimit: 4
features: fuse=1,nesting=1
hostname: opensearch-01-v1.0.0
memory: 8192
mp0: /srv/nfs/opensearch-01/data,mp=/var/lib/opensearch
nameserver: 10.3.0.165 10.3.0.166
net0: name=eth0,bridge=vmbr1,gw=10.3.4.254,hwaddr=BA:65:74:12:69:34,ip=10.3.4.174/24,tag=40,type=veth
ostype: debian
rootfs: vms:100/vm-100-disk-0.raw,size=25G
searchdomain: mnc078.mcc250.dsrc.labics.ru
swap: 4096
unprivileged: 1
lxc.idmap: u 0 100000 1001
lxc.idmap: g 0 100000 1001
lxc.idmap: u 1001 1001 1
lxc.idmap: g 1001 1001 1
lxc.idmap: u 1002 101002 64534
lxc.idmap: g 1002 101002 64534

ls -l /etc/opensearch

-rw------- 1 nobody nogroup  1704 янв 12 17:17 esnode-key.pem
-rw------- 1 nobody nogroup  1529 янв 12 17:17 esnode.pem
-rw-r--r-- 1 nobody nogroup  3065 янв 12 17:37 jvm.options
drwxr-xr-x 2 nobody nogroup  4096 окт 14  2022 jvm.options.d
-rw------- 1 nobody nogroup  1704 янв 12 17:17 kirk-key.pem
-rw------- 1 nobody nogroup  1655 янв 12 17:17 kirk.pem
-rw-r--r-- 1 nobody nogroup 14808 окт 14  2022 log4j2.properties
-rw-rw---- 1 nobody nogroup   196 янв 12 17:18 opensearch.keystore
drwxr-xr-x 2 nobody nogroup  4096 янв 12 17:17 opensearch-notifications
drwxr-xr-x 2 nobody nogroup  4096 янв 12 17:17 opensearch-notifications-core
drwxr-xr-x 2 nobody nogroup  4096 янв 12 17:17 opensearch-observability
drwxr-xr-x 2 nobody nogroup  4096 янв 12 17:17 opensearch-performance-analyzer
drwxr-xr-x 2 nobody nogroup  4096 янв 12 17:17 opensearch-reports-scheduler
drwxr-xr-x 2 nobody nogroup  4096 янв 12 17:17 opensearch-security
-rw-r--r-- 1 nobody nogroup  6240 янв 12 17:34 opensearch.yml
-rw-r--r-- 1 nobody nogroup  6211 янв 12 17:28 opensearch.yml.sample
-rw------- 1 nobody nogroup  1716 янв 12 17:17 root-ca.pem

How to do UID/GID mapping correctly?

 

[Chris]

Hi,
you will have to change the ownership of the bind mount directory on the host according to the user mapping as well, you can find an example in this wiki article https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

 

[AndAsh]

Hi,
you will have to change the ownership of the bind mount directory on the host according to the user mapping as well, you can find an example in this wiki article https://pve.proxmox.com/wiki/Unprivileged_LXC_containers

It's all been done.

 

[AndAsh]

It's all been done.

But the problem is not solved.

 

[Chris]

Did you change the owner to the correct UID/GID? Please check via ls -n. Also, your mountpoint is mounted to /var/lib/opensearch, not /etc/opensearch? If the files you are referring to are not the ones on the mountpoint, then I suspect that the ownership of these files on the containers rootfs are incorrect.
In that case, you can mount the filesystem on the Proxmox VE host via pct mount <VMID>, and change the permissions on the mounted filesystem, so /var/lib/lxc/<VMID>/rootfs.

Edit: Run pct unmount <VMID>, to unmount the filesystem again after taking action.