I’m rather new to LXC and currently running LXC 5.0.3 on a host with a few running unprivileged containers started with lxc-execute as different users, and no idmaps. I want them to be unprivileged as I have no need for root privileges for anything.
One of the containers creates a UNIX socket with particular user:group permissions. Another container host another program that needs aforementioned UNIX socket. On the users are members of respective groups to grant access to the UNIX sockets, and it works on the host, but not in a container where they are denied by OS (Permission denied). If i manually chmod the UNIX socket files 666 after creation, the containers are allowed to use then with no problems.
This led me to believe additional group memberships are reset/dropped when creating a LXC container.
On Linux, extra groups are managed by userspace, not by the kernel.
PAM is what reads your /etc/group to look at your extra groups and add them to the current user during login.
When you use something like lxc-attach, you’re only dealing with what the kernel can do, so no extra groups.
But if as the root user in the container you spawn your unprivileged task through su NAME -c "command", then su will go through PAM, and so your user will get its extra groups initialized.