RFC: easy & straightforward lxc unprivileged container uid/gid remap strategy

[RolandK]

we all know that uid remapping with unprivileged containers is a complicated thing, especially when you want to share some additional dirs from the hosts filesystem with the container.

i have spend some thoughts and made some receipe:

1. create CT

2. add
lxc.idmap: u 0 <$ctid>00000 65536
lxc.idmap: g 0 <$ctid>00000 65536
to
/etc/pve/lxc/<$ctid>.conf

3. add
root:<$ctid>00000:65536
to
/etc/subuid and /etc/subgid

4. use the uid remap script from https://tbrink.science/blog/2017/06...ed-lxc-containers-to-unprivileged-containers/ to change uids/gids in container filesystem accordingly.

/root/remapuids.py /path/to/container/mountpoint <$ctid-1>00000

for example, for container id 106 now everything is being remapped from 100000 (default) to 10600000, - root (uid 0) inside the container is uid 10600000 on the host, uid 1 is 10600001 and so on....

did i oversee something ?

opinions ?

 

[Dunuin]

Would be problematic with VMIDs >42948.

Linux host supports 2^32 = 4,294,967,296 IDs.

 

[RolandK]

ok, valid point! but i have no better idea on how to make it straigtforward.
i have rarely seen someone using such high numbers for VMs.
is it common ?

i think it's cool that you know can see by uid/gid to which container some files belong

 

[Dunuin]

ok, valid point! but i have no better idea on how to make it straigtforward.
i have rarely seen someone using such high numbers for VMs.
is it common ?

I use ranges like 10000 or 100000 if I want to create a guest for testing and throw it away afterwards. Because for the more reasonable VMID ranges I never use a VMID twice and I have to document using it.

i think it's cool that you know can see by uid/gid to which container some files belong

Jup, that's a nice feature.