[SOLVED] Trying to get more info about the uid gid mapping

Hello all

finally had time to try it out and after many attempts I think I figured it out. I have a CT user with UID 110 and GID 117 and that's how I mapped it:

Code: 
lxc.idmap: u 0 100000 110
lxc.idmap: g 0 100000 117
lxc.idmap: u 110 110 1
lxc.idmap: g 117 117 1
lxc.idmap: u 111 100111 65425
lxc.idmap: g 118 100118 65417

The CT started and seemed to work fine, but the service which is starting with that UID now fails to start. It returns permission denied message:

Unhandled exception. System.UnauthorizedAccessException: Access to the path '/var/lib/jellyfin/data' is denied.
Click to expand...

How is the mapping affecting the container permissions? I mean, from what I understood, by mapping the UID and GID you only affect what you do outside the container, isn't it?
 
Did you also used chown to change the owner of the bind-mounted folder to UID 110 and GID 117? Maybe it is still owned by 100110 or whatever it was before.
 
Dunuin said:
Did you also used chown to change the owner of the bind-mounted folder to UID 110 and GID 117? Maybe it is still owned by 100110 or whatever it was before.
Click to expand...
This is how the permissions look like within the host:

1615725354720.png

all of those are mounted within that container. So you're saying I should chown to 110/117 these? I honestly would like to avoid that as these are mounted in other CTs too.. Perhaps I should do something like get a UID/GID that I use to chown the mount points and map it in all CTs that need to access the same folders ?

In any case, I still don't get how changing the mapping for that CT is affecting the user and the service running within that CT... it looks like when I map the user something changes within the CT itself and that user can't access the folders it was having access (in this case the var/lib/jellyfin used by the Jellyfin server)

Again, sorry for all these dumb questions, I'm trying to understand the way it works. What's confusing me is that so far I understood the mapping was "one-way" only, like you use the mapping to ensure the user within the CT can correctly access resources outside and not within the CT itself..
 
vacar84 said:
This is how the permissions look like within the host:

View attachment 24435
Click to expand...
Folders DIR02 to DIR05 should be accessable from your LXC because you set chmod 777 so everyone can do everything no matter which user or group is trying to access it. If you set everything to chmod 777 you don't need user remapping...but of cause, that isn't the most secure way to do it.
Folder DIR01 is only writeable by user root (UID 0) and read/executable by the group root. So your mapped user with UID 110 has no permissions to access it until you change the owner of DIR01 on the host to UID 110 / GID 117.
vacar84 said:
all of those are mounted within that container. So you're saying I should chown to 110/117 these? I honestly would like to avoid that as these are mounted in other CTs too.. Perhaps I should do something like get a UID/GID that I use to chown the mount points and map it in all CTs that need to access the same folders ?
Click to expand...
Jup, then you need to create the same user on all LXC and edit each mapping.
vacar84 said:
In any case, I still don't get how changing the mapping for that CT is affecting the user and the service running within that CT... it looks like when I map the user something changes within the CT itself and that user can't access the folders it was having access (in this case the var/lib/jellyfin used by the Jellyfin server)

Again, sorry for all these dumb questions, I'm trying to understand the way it works. What's confusing me is that so far I understood the mapping was "one-way" only, like you use the mapping to ensure the user within the CT can correctly access resources outside and not within the CT itself..
Click to expand...
LXCs aren't fully isolated like VMs. At the end your host and your LXC is still the same OS, sharing the same kernel, same hardware and so on. So chaning something on the host might have an effect on the LXC and vice versa.
 
  • Like
Reactions: vacar84
Dunuin said:
Folders DIR02 to DIR05 should be accessable from your LXC because you set chmod 777 so everyone can do everything no matter which user or group is trying to access it. If you set everything to chmod 777 you don't need user remapping...but of cause, that isn't the most secure way to do it.
Folder DIR01 is only writeable by user root (UID 0) and read/executable by the group root. So your mapped user with UID 110 has no permissions to access it until you change the owner of DIR01 on the host to UID 110 / GID 117.

Jup, then you need to create the same user on all LXC and edit each mapping.

LXCs aren't fully isolated like VMs. At the end your host and your LXC is still the same OS, sharing the same kernel, same hardware and so on. So chaning something on the host might have an effect on the LXC and vice versa.
Click to expand...
Sorry didn't have time to test this and to reply you. I've made all necessary changes and it looks like the CT is working fine now!

Thanks for all the help!
 
  • Like
Reactions: Dunuin
You must log in or register to reply here.
Top Bottom