UID mapping and permission issue

W

wgallt

New Member
Apr 18, 2022
8
1
3
I'm trying to map an unprivileged LXC user to the host and experiencing some weird behavior. Here is the directory permissions before mapping:
Code: 
drwxr-xr-x 4 app  app  10 Apr 30 03:04 config
..and ls -n
Code: 
drwxr-xr-x 4 1005 1005 10 Apr 30 03:04 config

I add the mapping to the conf file:
Code: 
arch: amd64
cores: 2
features: fuse=1,keyctl=1,nesting=1
hostname: docker
memory: 2048
net0: name=eth0,bridge=vmbr0,firewall=1,gw=192.168.68.1,hwaddr=16:DA:1B:AF:40:4F,ip=192.168.68.20/24,type=veth
ostype: ubuntu
rootfs: app:subvol-111-disk-0,size=20G
swap: 512
unprivileged: 1
lxc.cgroup2.devices.allow: c 10:200 rwm
lxc.mount.entry: /dev/net dev/net none bind,create=dir
lxc.mount.entry: /dev/net/tun dev/net/tun none bind,create=file
lxc.idmap: u 0 100000 1005
lxc.idmap: g 0 100000 1005
lxc.idmap: u 1005 1005 1
lxc.idmap: g 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 1006 101006 64530

My subuid & subgid
Code: 
root@pve:/etc/pve/lxc# cat /etc/subuid
root:100000:65536
root:1005:1
root@pve:/etc/pve/lxc# cat /etc/subgid
root:100000:65536
root:1005:1

I start the container and the folder permissions are now:
Code: 
drwxr-xr-x 4 nobody nogroup 11 Apr 30 03:14 config
..ls -n
Code: 
drwxr-xr-x 4 65534 65534 11 Apr 30 03:14 config

I use uid/gid 1005 in my containers to access mount points. As with the other containers, when I do I can no longer chown them to the correct owners. I get a permission denied. I have to shutdown the container, pct mount from the host and do it there, then the containers permissions are correct. Oddly enough the mount points pass through with the correct mapping. Any thoughts on what Im doing wrong here? Thanks.
 
When changing the user/group remapping the old files are still owned by the UID it was owned before. So previously your files were owned by UID 101005 that was mapped to UID 1005 inside the LXC. Now you changed the remapping from 101005->1005 to 1005->1005. All your files are still owned by UID 101005 but your user with the UID 1005 inside the LXC now can't access them, as he is now UID 1005 on the host too, so not the owner of files owned by UID 101005 anymore.
To fix that you would need to use the CLI of your PVE host to chown all files of that container from UID 101005 to 1005.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom