Can I mount volume as another user inside one container?

lijunle · May 28, 2025, 5:40am

I am following this tutorial and have a shared volume.

The custom volume has files owned by user1 (UID=1000). I would like to archive this. Is it possible?

When the volume is mount on container1, map the user1 to user1 (1000->1000) inside the container1.
When the volume is mount on container2, map the user1 to www-data (1000->33) inside container2.
When mount on another container, map the user1 to another user inside that container.

The custom volume is set with security.shifted=true and the container runs with security.idmap.isolated=true. From the host’s htop, I can see each container is running on its own user.

I tried to set raw.idmap on container, but that seems not working.

osch · May 28, 2025, 6:33am

ID mapping is a bit complex and requires some time until you get it correct. There are quite a few topics around how to perform the correct mapping. One of them that might come close is Trouble with idmaps in restricted Incus container, have a look at it and try it out. alternative search for idmap and you will find a few more threads where it has been discussed.

lijunle · May 30, 2025, 7:18am

After some learning, here is the way:

Set up the raw.idmap for a container. I am writing raw.idmap: both 1000 33 because both UID/GID are the same. After the container started, use htop to find the PID of the container’s init process.

Check the ID map of the container by:
```
cat /proc/<PID>/uid_map
#         0    1000000         33
#        33       1000          1
#        34    1000034  999999966
```
The above output means the container’s 0 maps to host’s 1000000, container’s 33 maps to host’s 1000 user.
When mount a host folder, do NOT set shift: true. If you set that, chown 33 in container will make the file owned by 33 in host as well. For volume, unset security.shift and set security.unmapped: true.

We can confirm the mount path does NOT have idmapped.
```
cat /proc/<PID>/mounts
# /dev/nvme0n1p2 /test btrfs rw,noatime,ssd,discard=async,space_cache=v2,user_subvol_rm_allowed,subvolid=1942,subvol=/@rootfs 0 0
```
Normally, if a file in that folder/volume does not fit your custom ID map, it will show as nobody. So, remember to have the full custom ID map for unshifted folder/volume. Read more in simos’ this post.

Other notes:

It does NOT need to install uidmap package. It seems like incus will handle the ID map by itself.
It does NOT need to edit the /etc/sub[ug]id files, unless you install uidmap package for ID map. But as I mentioned, incus has its own handling of ID map.

Honestly, even though I get the ID map works. The current functionality still not meets the needs.

For example, I have a Samba container. It mounts a couple of volume: nextcloud, time-machine, bittorrent. Nextcloud is owned by www-data (UID=33), bittorrent is owned by UID=1000. When sharing in Samba, I would like to share as user 1000. Somehow, I cannot write

raw.idmap: |-
  both 33 1000
  both 1000 1000

because the container needs to do reserved lookup. When writing a file as 1000 to a volume, it does not know maps back to 33 or 1000 on host.

The real problem here is, the ID map is on the container level, but not on the mount volume or folder level.