I know this maybe stupid, but I am having trouble setting the UID/GID on a website directory tree after the content has been updated within a container.
On the host, all files belong to www-data.www-data:
$ sudo ls -l /var/lib/lxd/storage-pools/zlxd/containers/webserver/rootfs/usr/share/nginx/example.com/html
total 2530
-r-xr-x--- 1 www-data www-data 276 Apr 30 2016 50x.html
In the container, they all belong to nobody.nogroup
$ ls -l html/
total 2530
-r-xr-x--- 1 nobody nogroup 276 Apr 30 2016 50x.html
User www-data (33) is present on both the host and the container.
Is there any way to set the right UID/GID inside the container so that all files belong to www-data?
$ sudo chown -R www-data.www-data example.com
in the container returns:
chown: changing ownership of 'example.com/': Operation not permitted
Specifically, the UIDs in the container as shifted up by 165536, and this value is determined in /etc/subuid and /etc/subgid. It’s this line:
lxd:165536:65536
It says that the containers can only have IDs that are between 165536 and 165536+65536. I think that you get Permission denied in the container because the files have invalid IDs (according to the container container).
The U|GID range on the host in my case was 100000-165535 (lxd:100000:65536), so I had to set the ownership on the directory to 100033, which was mapped to 33 in the container. This is helpful because I can write a script to update all the content of the website directly on the host without having to go back and forth between the host and the container (that is logging in and out).
Last night, before seeing your answer, I was able to have the correct ownership in the container by creating a tar archive of the website (everything inside the archive owned by www-data.www-data) on the host, moving the archive in the container and extracting the files there. So, if the content of an archive has a specific ownership, is seems that that ownership is preserved during the extraction, but this process must take place inside the container. Extracting the files outside the container require ownership remapping.