Converting from lxd - had to add root:1000:1 to /etc/subuid - why?

I have a bunch of containers created under lxd (5.19 at the moment) and installed incus and ran the conversion-script. All seemed to go OK (thanks for all the hard work on it).

All the containers mount a directory from the host and use raw.idmap to map user 1000 on the host to 1000 in the container. This means lockfiles etc can be updated from both inside and outside the container.

The containers failed to start with an error newuidmap failed to write mapping "newuidmap: uid range [1000-1001) -> .... Unsetting the raw.idmap let the container start.

Searching led to similar issues mentioned by the proxmox crowd and after I added the custom entry for root to my /etc/subuid and /etc/subgid everything was fine.



I think I understand why I need the setting. When the container is started (by root) it needs to perform the mapping and can’t do so without having the target uid in its range.

But… what changed between the (snap installed) lxd setup I had and how Incus is starting containers? Did I miss something on my previous setup and just got lucky? Is there anything else I should look out for?

The LXD snap is completely insulated from the OS it’s running on and so does not look at, let along respect what’s configured in /etc/subuid and /etc/subgid.

As Incus ships as a proper native package, it does properly integrate with the distribution, including following its uid/gid restrictions.