Changing ownership inside a container

Hello, everyone.

I know this maybe stupid, but I am having trouble setting the UID/GID on a website directory tree after the content has been updated within a container.

On the host, all files belong to www-data.www-data:

$ sudo ls -l /var/lib/lxd/storage-pools/zlxd/containers/webserver/rootfs/usr/share/nginx/
total 2530
-r-xr-x--- 1 www-data www-data     276 Apr 30  2016 50x.html

In the container, they all belong to nobody.nogroup

$ ls -l html/
total 2530
-r-xr-x--- 1 nobody nogroup     276 Apr 30  2016 50x.html

User www-data (33) is present on both the host and the container.

Is there any way to set the right UID/GID inside the container so that all files belong to www-data?

$ sudo chown -R www-data.www-data

in the container returns:

chown: changing ownership of '': Operation not permitted


The UID of www-data on the host is 33. The UID of www-data in the container is actually 165536+33 = 165569 but the container sees 33.

These are described in

Specifically, the UIDs in the container as shifted up by 165536, and this value is determined in /etc/subuid and /etc/subgid. It’s this line:


It says that the containers can only have IDs that are between 165536 and 165536+65536. I think that you get Permission denied in the container because the files have invalid IDs (according to the container container).

Can you try from the host to run

sudo chown -R 165569:165569

then see in the container how they look.

Hello, Simos!

Indeed, this does the trick.

The U|GID range on the host in my case was 100000-165535 (lxd:100000:65536), so I had to set the ownership on the directory to 100033, which was mapped to 33 in the container. This is helpful because I can write a script to update all the content of the website directly on the host without having to go back and forth between the host and the container (that is logging in and out).

Last night, before seeing your answer, I was able to have the correct ownership in the container by creating a tar archive of the website (everything inside the archive owned by www-data.www-data) on the host, moving the archive in the container and extracting the files there. So, if the content of an archive has a specific ownership, is seems that that ownership is preserved during the extraction, but this process must take place inside the container. Extracting the files outside the container require ownership remapping.

Thank you very much!