I have a host user craig
with a uid/gid of 1001.
I have container stretch-cc
with a user cc
having uid/gid of 1000.
I try setting the raw.idmap
using either of these methods:
printf "uid $(id -u) 1000\ngid $(id -g) 1000" | lxc config set test raw.idmap -
echo "both 1001 1000" | lxc config set stretch-cc raw.idmap -
In both cases the container error on restart:
conf - conf.c:lxc_map_ids:2999 - newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> [1001-1002) not allowed": newuidmap 13712 0 231072 1000 1000 1001 1 1001 232073 64535
Configuration is:
$ lxc config show stretch-cc
architecture: x86_64
config:
image.architecture: amd64
image.description: Debian stretch amd64 (20190317_05:24)
image.os: Debian
image.release: stretch
image.serial: "20190317_05:24"
raw.idmap: |
both 1001 1000
volatile.base_image: 137c391ed7e0d39a3912a6ae45d545f60d8156dcf601a427030f40421cc81129
volatile.eth0.hwaddr: 00:16:3e:9b:d5:68
volatile.idmap.base: "0"
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":231072,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1001,"Nsid":1000,"Maprange":1},{"Isuid":true,"Isgid":false,"Hostid":232073,"Nsid":1001,"Maprange":64535},{"Isuid":false,"Isgid":true,"Hostid":231072,"Nsid":0,"Maprange":1000},{"Isuid":true,"Isgid":true,"Hostid":1001,"Nsid":1000,"Maprange":1},{"Isuid":false,"Isgid":true,"Hostid":232073,"Nsid":1001,"Maprange":64535}]'
volatile.last_state.idmap: '[{"Isuid":true,"Isgid":false,"Hostid":231072,"Nsid":0,"Maprange":65536},{"Isuid":false,"Isgid":true,"Hostid":231072,"Nsid":0,"Maprange":65536}]'
volatile.last_state.power: RUNNING
devices: {}
ephemeral: false
profiles:
- default
- stretch-cc-profile
stateful: false
description: ""
$ lxc profile show stretch-cc-profile
config: {}
description: map user cc home dir to host /home/craig/lxc-dirs/stretch-cc
devices:
home:
path: /home/cc
source: /home/craig/lxc-dirs/stretch-cc
type: disk
name: stretch-cc-profile
used_by:
- /1.0/containers/stretch-cc
on host:
$ grep 1001 /etc/passwd
craig:x:1001:1001:Craig,0,1,2,3:/home/craig:/bin/bash
$ cat /etc/subuid
crub18:100000:65536
craig:165536:65536
lxd:231072:65536
root:231072:65536
subguid
same
on container:
$ lxc exec stretch-cc -- grep 1000 /etc/passwd
cc:x:1000:1000::/home/cc:/bin/bash
$ lxc exec stretch-cc -- cat /etc/subuid
cc:100000:65536
subgid
same
The LXD documentation says:
The raw keys allow direct interaction with the backend features that LXD itself uses, setting those may very well break LXD in non-obvious ways and should whenever possible be avoided.
This seems to be an instruction that raw.idmap
should NOT be used.
But it contradicts the LXD documentation
on id mapping.